Encrypted PDFs

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mhammett
Advanced member
Advanced member
Posts: 100
Joined: Sat Jul 19, 2014 7:07 am
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U

Encrypted PDFs

Postby mhammett » Tue May 01, 2018 1:46 pm

I've seen the posts about how to allow them all or deny them all.
I've also seen how to allow them through one-by-one after the fact.


When can we see Zimbra add a bit better UI on how to whitelist particular senders with regards to encrypted PDFs? Things like paystubs are sent as encrypted PDFs. I've seen other systems send legitimate e-mail that's an encrypted PDF. Obviously, you can't just whitelist all encrypted PDFs because some are malware.

Back to manually pushing through ones that have already been blocked...


mhammett
Advanced member
Advanced member
Posts: 100
Joined: Sat Jul 19, 2014 7:07 am
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU14.64 U

Re: Encrypted PDFs

Postby mhammett » Mon May 06, 2019 11:19 pm

Is anyone other than crickets in here?
Jordack
Posts: 30
Joined: Sat Sep 13, 2014 2:15 am

Re: Encrypted PDFs

Postby Jordack » Sun May 12, 2019 8:12 pm

https://bugzilla.zimbra.com/ Is where you should place a feature request.

I have not seen any feature requests for it so not sure you will see,the feature anytime soon :(
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 513
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Encrypted PDFs

Postby JDunphy » Mon May 13, 2019 4:41 am

I think what you want is this virus_name_to_spam_score_maps ... This would allow you to score this in SA and provide that flexibility.

https://lists.amavis.org/pipermail/amavis-users/2011-October/000934.html

Anything matching would be sent on to SA where you could look at X-Amavis-AV-Status to see if that was an encrypted pdf... then create a meta rule to allow your senders through... else score it to non deliverable.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 513
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Encrypted PDFs

Postby JDunphy » Wed Jan 29, 2020 6:20 pm

I thought I would share my solution since I have a new mobile app that likes to encrypt pdf's and I wasn't going to keep releasing it from quarantine. While the newer clamav updated with 8.7.11.p14 has the concept of encrypted docs vs encrypted archives, that isn't enough granularity when you just want to allow encrypted pdf's through to SA for scoring. My Solution was to do the following:

1. Add the following to your salocal.cf

Code: Select all

header J_ENCR_PDF  X-Amavis-AV-Status =~ m{Heuristics\.Encrypted\.PDF}i
score J_ENCR_PDF  0.1
describe J_ENCR_PDF Allow encrypted pdf's through


2. Modify: /opt/zimbra/common/sbin/amavisd and add the single line with the comment #JAD

Code: Select all

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
    [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 0.1 ],
    [ qr'^(Heuristics\.)?Phishing\.'                       => 0.1 ],
    [ qr'^Heuristics\.Encrypted\.PDF'                      => 0.1 ], #JAD
    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 0.1 ],


Warning: you need to remember to check /opt/zimbra/common/sbin/amavisd that your entry is still here after updating or patches to Zimbra as we are modifying amavisd directly. Unfortunately, this specific solution doesn't appear to have been resolved with various open bugs over the years so I don't have a cleaner way to do this that is supported by zimbra other than all or nothing for encrypted archives (tell me if you know a better way for just PDF's)... Bug 67317 and Bug 67317 being the more recent requests.

The good news is that now that SA is involved with scoring for encrypted pdf's messages, one can do this on a more restrictive basis such as per user or domain, whitelisting, etc, etc. You also get some benefit by allowing your scoring model to have a go at it. Modify the SA score if you feel that allowing encrypted pdf's should count higher with your spam model.

Jim

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 13 guests