Disable attachments in Postfix

You have postfix mail system and you want to make it reject, delete or rename potentially dangerous attachments. NB: Before you start it is advised to make a backup copy of directory /etc/postfix/ .

1) Solution One

Quite simple one, without any extra installs.

  • Edit /etc/postfix/main.cf. At the end add single line:

mime_header_checks = regexp:/etc/postfix/mime_header_checks

  • Edit /etc/postfix/mime_header_checks. Create the file if it does not exist. At the end add single line:

/name=[^>]*\.(lnk|dll|shs|vbe|hta|com|vbs|js|jse|bat|cmd|vxd|scr|shm|pif|chm|zip|exe)/ REDIRECT admin@mydomain.me

This will redirect all incoming mail with the listed files to the indicated mail. You can also just reject such mails by writing REJECT instead of REDIRECT, followed by an optional  text message.

  • Reload the new postfix configuration:

postfix reload

2) Solution Two

A bit more sophisticated.

  • Install renattach.

sudo apt-get install renattach

  • Create user ‘filter’. It is recommended that it does not have neither password, nor home directory, nor login shell.

adduser –disabled-login –no-create-home –shell /bin/false filter

  • Edit /etc/postfix/master.cf. At the end add two lines:

filter unix – n n – – pipe flags=q user=filter argv=/usr/bin/renattach -l -p /usr/sbin/sendmail -i -f ${sender} — ${recipient} NB:

  1. The second line shall start with two spaces.
  2. Write full program names or you may get error with message “temporary failure. Command output: Error executing pipe command: sendmail “)
  • Edit again /etc/postfix/master.cf. Find at the top of the file the section which looks like:

# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ==========================================================================

smtp inet n – – – – smtpd

And add this line under it:

-o content_filter=filter NB:

  1. The line shall start with four spaces.

If there are already some other options, you may add it under them all, e.g.:

smtp inet n – – – – smtpd
-o content_filter=spamfilter
-o receive_override_options=no_address_mappings
-o content_filter=filter

  • Edit configuration file /etc/renattach/renattach.conf:

Go to the bottom of the file and uncomment badlist lines. You can add extra your own lines if you want, e.g.

badlist = ZIP

Also, change the message in the subject of the processed message, e.g.:

add_subject = [Suspicious attachments renamed]

Or invent your own extension for the renamed files, e.g.:

new_extension = suspicious

  • Reload the new postfix configuration:

postfix reload

Enjoy extra protection!

Both Solutions as they are described here do not work together, because the Solution One will be first to get to the mail and it will never make it to the renattach. So you have to choose either one of them.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s