This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Received external Signed Messages will be Suspect all the time

Hello,

 

we have a problem since we start with the PureMessage Unix several years ago and the problem is, that any signed messages we receive will be declared as suspect :(

Did anyone have an idea how we can make singned messages to be trust?

Our PureMessage Unix Version is 6.4.3 at CentOS 7

 

Thanks

Dirk



This thread was automatically locked due to age.
Parents
  • Hi Dirk,

    Can you clarify the "signed" part.. were you referring to PGP or DKIM or some other message singing? 

     

    Guessing your seeing this:

    https://community.sophos.com/products/puremessage/f/sophos-puremessage/102265/puremessage-for-unix-now-detects-openpgp-gpg

  • Hi Red_Warrior,

    booth types will be seen as suspect, the SMIME:

    Content-Type: application/pkcs7-signature; name="smime.p7s"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="smime.p7s"
    Content-Description: S/MIME Cryptographic Signature

    and the PGP Signature:

    Content-Type: application/pgp-signature;
    name=signature.asc
    Content-Description: Message signed with OpenPGP

     

    I will test the 132007 from the Knowledge Base and write the result here, thank for inform me about the article.

     

    Thanks

    Dirk

  • Hi Red_Warrior,

     

    it´s me again, i have updated to the newest Puremessage Version 6.4.4 and put the cantscan Rules in the policy for the Suspect Rule:

     # attr NAME=Suspicious attachments
        if pmx_suspect_attachment :tft {
             # Either there is a suspect attachment OR
             # the AV engine encountered an error while classifying the attachments
             # attr NAME=Deliver and mark mail containing unscannable attachments
             if pmx_cantscan {
                         # the AV engine encountered an error while classifying the attachments
                         pmx_replace_header :index 0 "Subject" "[POTENTIAL SUSPECT ATTACHMENT] %%SUBJECT%%";
                         pmx_mark "pmx_reason" "Unscannable";
             } 
             # attr NAME=Quarantine mail containing suspicious attachments
             else {
             # There is a suspect attachment
                         pmx_mark "pmx_reason" "Suspect";
                         pmx_quarantine "Suspect";
                         stop;
             }
         } 
         # attr NAME=Deliver there is no suspect attachment
         else {
             # there is no suspect attachment
         }

    But it will not work :(

    The pmx_log writes: quarantine: Suspect

    Is it possible that the "Suspect attachment types" are the reason for the Suspect declaration?

    We have the Suspect attachment types:
    message/external-body    
    message/partial

    Thanks

    Dirk

Reply
  • Hi Red_Warrior,

     

    it´s me again, i have updated to the newest Puremessage Version 6.4.4 and put the cantscan Rules in the policy for the Suspect Rule:

     # attr NAME=Suspicious attachments
        if pmx_suspect_attachment :tft {
             # Either there is a suspect attachment OR
             # the AV engine encountered an error while classifying the attachments
             # attr NAME=Deliver and mark mail containing unscannable attachments
             if pmx_cantscan {
                         # the AV engine encountered an error while classifying the attachments
                         pmx_replace_header :index 0 "Subject" "[POTENTIAL SUSPECT ATTACHMENT] %%SUBJECT%%";
                         pmx_mark "pmx_reason" "Unscannable";
             } 
             # attr NAME=Quarantine mail containing suspicious attachments
             else {
             # There is a suspect attachment
                         pmx_mark "pmx_reason" "Suspect";
                         pmx_quarantine "Suspect";
                         stop;
             }
         } 
         # attr NAME=Deliver there is no suspect attachment
         else {
             # there is no suspect attachment
         }

    But it will not work :(

    The pmx_log writes: quarantine: Suspect

    Is it possible that the "Suspect attachment types" are the reason for the Suspect declaration?

    We have the Suspect attachment types:
    message/external-body    
    message/partial

    Thanks

    Dirk

Children
  • Yes that is a possibility, PMX will run policy in the exact order of your .siv file

    the other thing here is exactly how is this email scanning.    you could could get some further insite into the file by looking at the folling

     

    create a test sample:

    sudo su - pmx6

    cd /tmp

    touch test.eml

    vi test.eml

    i

    shift + insert

    :wq!

     

    conduct a policy inject:

    pmx-policy inject test.eml --relay external --dry-run -v -v -v >output.txt

     

    this will inject the email into the milter process and output to output.txt .. then just grep the file or open it up and have a read through it.. it will be in order and contain RULE HIT: with the rules.. this will help you determine exactly what rule and the order they are hitting. It will also give you a sample for support. 

     

    Test the file: 

    pmx-list-true-filetypes test.eml

     

    Test vs av scanning:

    step #1 enable daemon mode

    cp -p /opt/pmx6/etc/virus.d/sophos.conf   /opt/pmx6/etc/virus.d/sophos.conf.bak

    vi  /opt/pmx6/etc/virus.d/sophos.conf

    change "daemon" from = __DEFAULT__ 

    to : daemon = on

    :wq!

    pmx restart

    pmx-vscan scan test.eml

     

    this will ensure the file is unscanable ..

     

    Notes: 

    You may wish to output all of the results to files and at that point open a support case..  I don not recommend posting configuration or results of these test to the forums.   

    from what your saying I'm guessing these 3 tests will allow you to ensure the file types and order are been scanned correctly.. along with the modification of the can't scan rule. 

     

    Other things you could do is create a general rule to scan for the pgp marker (or a specific marker) then use that rule context in your cant scan rule as ! rule..

    so your basically saying, pmx cant scan.. except if you see --pgp begin--   or something along those lines..

     

     

    to revert to on-access scanning just replace the config file and restart pmx .. or if you want to run the scanner all the time and get a lot of files to scan you may wish to leave it in daemon mode.  up to you.