Reject mail with specific file extensions

Hi!

I need to reject mail that contains files with special extensions (for example, .exe).
When I put .exe into email protection -> smtp -> antivirus -> file extention filter, UTM begins to quarantine mails with .exe files.
But how can I   reject such mails?

Thanks!


This thread was automatically locked due to age.
[unlocked by: BAlfson at 7:48 PM (GMT -7) on 1 Oct 2020]
  • Eventhough it's 5 years old: Is there no option? We have a bunch of people still trying to send .xls/doc documents instead of the XML pendants, which are a security risk. Currently the UTMs just quarantine them - I'd like to reject them!

    The sender doesn't know he's sending 13 years depricated stuff and expects it to be delivered.

    Any solutions for that?

  • There's no way to do this at present.  I bet there's a way to do it at the command line, but I don't know it.  Maybe a Sophos guy will come by and tell us...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Reflecting on this, I came up with a workaround...

    One could find the quarantined items with:

    grep 'reason="ext"' /var/log/smtp.log

    Or, if you wanted to look at the ones from yesterday:

    zgrep 'reason="ext"' /var/log/smtp/2020/06/*24*

    An example (personal information obfuscated) I got with that was:

    2020:06:24-02:20:00 secure smtpd[6228]: SCANNER[6228]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="140.xxx.yyy.103" from="badguy@criminal.com" to="me@domain.com" subject="QUOTATION" queueid="1eJFxw-0001cS-9h" size="1054608" reason="ext" extra="exe"

    If the number of such cases is small, a standardized manual email could be sent to the sender précising the date, time, subject and extension.  Easy also to delete the message in the Mail Manager.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, but actually we have exactly the same problem. It's a shame that Sophos does not offer a solution to this. Especially as this would be a considerable gain in security. So +1 ( even if this is not the platform for ideas)

    Best regards 

    Alex 

    -

  • I neither see a solution, nor even a workaround for that.

    How does a manual "grep" replace/workaround a rejection of (specific) attachments? It's out of my logic. We don'T want to delete that, we want to REJECT.

    Reject means that the sender gets informed, that he's (probably) sending risky crap and hopefully learns and retries with a filetype, that is acceptable (PDF, .docx...).

     - Christof

  • Don't +1 here, there's a fuction on the top-right side of this page... maybe if a billion people ring that bell, Sophos will do something (overdue) for their money. ;-)

  • Thanks for pointing that out, I was the second one that already did that. Unfortunately Sophos seems to push more development power into XG since years and still XG can’t replace UTM. But that’s another story.
    I think one will need a separate mail gateway to use such functions in the near future too.

    -

  • Christof,

    The workaround I suggested allows you to inform the sender that their email was not received as it was deleted because of an unsafe attachment.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Guys, there might be a way to do this with exim, but you won't find it here.  Maybe on exim.org or github.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • You know if The XG things can do this? Someone else I know - who's obviously not using Sophos - has a 'replacement' function, that gives the receiver a textfile telling what's missing and that it got blocked and could be released by admin.
    That's at least better than just dropping the mail into quarantine.