Tilman Kranz – Personal Blog

Rejecting Microsoft Executables and Office Documents with Postfix

16. Juli 2020 in Administration, GNU/Linux.

Update July 16th 2020: A reader has pointed out to me that the regular expression did not (or did not always) match if the filename of the attachment contained non-ASCII characters, opening a simple way to circumvent this header check. I was able to reproduce this behavior by sending a mail with a single attachment “täst.zip” using Evolution which arrived at Postfix MTA with a MIME-structure like this:

...
Content-Type: multipart/mixed; boundary="=-PAoNeMrNohfkW7sWEPJ5"
...
--=-PAoNeMrNohfkW7sWEPJ5
Content-Type: application/zip; name*=ISO-8859-1''t%E4st.zip
Content-Disposition: attachment; filename*=ISO-8859-1''t%E4st.zip
...

Note the value of the Content-Type header, and there the part name*=ISO-8859-1''t%E4st.zip.

Please compare this to what arrives if i send a mail with an attachment “test.zip” instead:

Content-Type: application/zip; name="test.zip"
Content-Disposition: attachment; filename="test.zip"

In the below suggestion for mime_header_checks i have made the following changes:

Change = to \*?= to allow for RFC 2231 Parameter Value Character Set and Language Information.
Include the surrounding sturcture from the second example in the EXAMPLES section of http://www.postfix.org/header_checks.5.html which specifically covers the case that the “.” in the filename could arrive encoded as quoted printable =2E.

Here is a pcre-entry for Postfix’ mime_header_checks that will cause Postfix to reject any email containing

a file potentially containing code that is executable on Microsoft operating systems (note that this also includes filenames ending with .js) or
a document for Microsoft Office (including Access, Excel, Powerpoint, Visio and Word including RTF Documents) or
some archive types (ZIP-, 7Zip-, LHA-Archives and MS Exchange data in TNEF format):

# Contents of file "/etc/postfix/mime_header_checks":
/^Content-(Disposition|Type).*name\s*\*?=\s*"?([^;]*(\.|=2E)(
    accd[bert]|
    do(b|[ct][mx]?)|rtf|
    pp(am|(s|t)[mx]?)|pot[mx]?|sld[mx]|
    v[dt]x|vs[dsxt]|
    xl(am?|l|m|[st][mx]?|sb|w)|
    386|
    ad[ep]|app|as[dfx]|
    ba[st]|
    cab|c[bp]l|chm|cmd|com|crt|csh|
    dll|
    exe|
    fxp|
    hlp|ht[aor]|
    in[fips]|isp|
    jar|jse?|
    ksh|
    lib|lnk|
    md[bet]|ms[cipt]|
    ocx|ops|
    pcd|pif|prg|
    reg|
    sc[rt]|sh[bms]?|swf|sys|
    url|
    vb[esx]|vcs|vxd|
    wm[dsz]|
    ws[cfh]|
    7z|lha|tnef|zip))(\?=)?"?\s*(;|$)/x
        REJECT Attachment of type $2 not accepted

Windows 7 auf 4k: Verwaschene Darstellung der CYGWIN-Console

9. Februar 2016 in Technology.

Wer auf Windows 7 auf einem Bildschirm mit hoher Pixeldichte im CYGWIN-Terminal eine “verwaschene” bzw. unscharfe Darstellung der Schrift feststellt, muss wahrscheinlich für die Terminal-Anwendung mintty.exe eine Ausnahme von der “Globalen DPI-Skalierung” einrichten. Für mintty.exe ist das aber gar nicht so einfach, und wie ich es geschafft habe, beschreibt dieser Artikel.

Windows 7 auf 4k: Nach Display-Neustart alle Fenster zu klein und links oben

13. Februar 2016 in Technology.

Der Samsung U28E590D ist ein schöner 4k-Monitor, der sich gerne ausschaltet, um Energie zu sparen. Das finde ich gut.

Jedoch tritt dann bei mir der Effekt auf, dass nach dem Powercycle des Displays alle Fenster auf 640×480 Pixel größenverändert und in die linke obere Bildschirmecke verschoben sind.

Meine Konfiguration:

Samsung U28E590D, Auflösung 3840×2160.
Anschluss via DisplayPort.
Nvidia Geforce GTX 760.
Windows 7 Professional 64bit.

Reproduziert werden kann das Problem, in dem man ein paar Fenster aufmacht, über den Bildschirm verteilt und dann den Monitor einmal aus- und wieder anschaltet. Wenn die Fenster danach alle oder teilweise links oben auf 640×480 Pixel geändert sind, hat man dieses Problem.

UPDATE: Obwohl das in diesem Artikel beschriebene Verfahren unmittelbar Abhilfe geschaffen hat, ist es nach einigen Neustarts wieder aufgetreten und kann nun nicht mehr wie in diesem Artikel beschrieben behoben werden. Ich möchte ein Update nachreichen, sobald mir eine bessere Lösung bekannt ist, die nicht “Upgrade auf Windows 10” lautet. 😉

Sonnenuntergang im Januar 2016

21. Januar 2016 in Other.

Basic Example for Response-Policy-Zones with BIND

31. Oktober 2015 in Administration, GNU/Linux.

I would like to emulate a public DNS entry that does not exist yet, while i am developing the service that will use this name on an intranet server. Let a public domain name i develop the service for be myservice.my-cool-domain.biz. When working in my intranet 192.168.2.0/24, i want to override whatever public DNS resolves this as to some the IP 192.168.2.99. I would like to implement this using the “response-policy zones” (RPZ) feature available in recent versions of BIND.

Stabilize Shaky Video With ffmpeg and vidstab

30. August 2022 in Multimedia, Technology.

Overview

On my walking and hiking tours i often do not carry my camera but only my Android phone. Unlike the camera, the phone features no image stabilization mechanism whatsoever. In the past i have used the option offered by Google’s YouTube to apply a transformation that compensates for the most unfriendly effects of my hands being a bit shaky after some 10 or 20 miles of hiking. Since i am now moving forward to a more self-hosted approach of presenting my videos, i would like to have a similar procedure available locally.

For the ffmpeg software, which i use to convert A/V streams into internet-friendly output formats such as VP8 and Ogg Vorbis, there is a plugin “vidstab” that is capable of doing the same thing.

In this article i describe a “two-pass” procedure of applying “vidstab” during a video conversion procedure, and i present some initial results i had when experimenting with the plugin’s parameters.

Land- und Abendstimmungen

4. Oktober 2015 in Other.

Meckesheim, Zuzenhausen 3.10.2015
Aufgenommen auf dem Rundweg von Spechbach über Meckesheim, Zuzenhausen und Eschelbronn.

Ad-Blocking with BIND9 and NGINX

31. Oktober 2015 in Administration, GNU/Linux.

In my intranet, where hosts are in a subnet 192.168.2.0/24 and domain names in a domain mydomain, I use BIND9 as DNS, running on host intradns.mydomain , and NGINX as a webserver running on intraweb.mydomain.

I would like to rewrite all subdomains of certain public domains (spammers and trackers) using my intranet DNS to a webserver that answers every request with a 1 x 1 transparent Pixel GIF.

Note: A user has to be fully aware that the result is not the internet according to public DNS anymore but a modified view of it.

Pages: 1 2 3 4