Enhancing E-Mail Security With Procmail

Obtaining and installing the sanitizer

The current version of the sanitizer is: 1.151

It is recommended you update your copy if your version is older, as bugfixes and filtering for newer exploits will have been added. See the history of changes for details.

The Email Sanitizer procmail ruleset is available at:
[ Distributed HTTP Mirror (worldwide) | HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

If you wish to set up an automatically-maintained local mirror of the Sanitizer website, you can run the following command in your mirror directory:

rsync --archive rsync://rsync.impsec.org/email-tools .

The MD5 checksum of the current sanitizer is available for verifying your download. Check it after decompressing.

The Email Sanitizer procmail ruleset without Microsoft Office macro scanning is available at:
[ Distributed HTTP Mirror (worldwide) | HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

The MD5 checksum of the current no-macro-scanning sanitizer is available for verifying your download. Check it after decompressing.

The recommended poisoned files list is available at:
[ Distributed HTTP Mirror (worldwide) | HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

The sample Local Rules procmail ruleset (some worm signatures) is available at:
[ Distributed HTTP Mirror (worldwide) | HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

The Opt-Out Preprocessor procmail ruleset is available at:
[ Distributed HTTP Mirror (worldwide) | HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

The current development snapshot of the Email Sanitizer procmail ruleset is available at:
[ Distributed HTTP Mirror (worldwide) | HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]
CAUTION! The development snapshot must be considered BETA code. It may work, it may not, it may totally hose your mailserver. Approach with caution.

Some ruminations on the future directions of the Email Sanitizer are available at:
[ HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

If you are downloading this on a Windows or Macintosh system for use on a Unix or Linux system, make sure that you take care of text-file conversion - the script will not run properly with DOS end-of-line characters in it. One way to do this is to open the sanitizer script in vi and type:

:textmode on
:textmode off
:wq

A tarball of the ruleset and other useful files is available at:
[ Distributed HTTP Mirror (worldwide) | HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

Site Safety

Requirements

• Your email must be received by a system that runs or can run procmail. See the procmail link above for information about obtaining and installing procmail for your platform. Ensure procmail is working properly before installing the sanitizer.
  
  
• If you are running sendmail then it must be set up to use procmail as the local delivery agent. Look for the following line in your /etc/sendmail.cf file:

  Mlocal,    P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
             A=procmail -Y -a $h -d $u
  

• You must have perl installed. The minimum tested perl version is 5.004_05 - earlier versions are not guaranteed to work properly.

• If you want to install the sanitizer on a sendmail relay (for example, to protect a Microsoft Exchange system that is not directly connected to the Internet), follow these directions:
  [ HTTP Main Site (US: WA) | HTTP Mirror (US: CA) ]

• If you wish to scan Microsoft Office attachments for suspicious macros, or scan ZIP or RAR archive attachments for suspicious filenames, you must have mimencode (which is a part of the metamail package) and mktemp (from OpenBSD) installed, or install the CPAN Perl modules MIME::Base64 and File::MkTemp. If you wish to scan ZIP archive attachments, you must also have unzip installed. If you wish to scan RAR archive attachments, you must also have unrar installed.

Installation under *nix and workalikes (Linux, *BSD, etc.)

1. Create a directory /etc/procmail owner and group root, permissions rwxr-xr-x.
   
   
2. Download the sanitizing ruleset and save it in that directory, owner and group root, permissions rw-r--r--. If you are using Lynx, highlight the link and press "D" to download the file - don't view it and save it, it'll be corrupted.
   
   
3. Read the configuration instructions.

It is important to note the obvious: the sanitizer will only protect you against attacks in email messages that go through the mail gateway it's installed on. If your users are able to access external POP servers or web-based email systems, they may still receive and become victims of email worms and viruses.

Access to external POP servers can be blocked by your firewall, but the only way to defend against attacks via web email services is user education. Make your users aware that they may destroy a lot of valuable work and lose a lot of valuable time if they retrieve attachments from web email gateways. Suggest that they forward such messages to their work email address so that the messages get sanitized.

Troubleshooting

If you are getting errors like "sendmail: illegal option -- U" see the configuration page for how to fix it.

Procmail 3.22 has a bug in the VARNAME=|command-line construct used by the 1.133 version of the sanitizer. If you are getting OUT OF MEMORY errors, update to the current release of the sanitizer.

There appears to be a bug in some older versions of Procmail that the sanitizer is especially good at triggering. If you find your mailboxes are being corrupted because the "F" in the "From whoever" line that begins the message is being deleted, please upgrade to the current stable Procmail release. If that does not correct the problem, let me know. (There is some dispute as to whether this is due to a bug in procmail...)

HPUX defaults to a limit on the command line of 20480 characters, which is too short for the full sanitizer and causes it to fail. See your manual for how to increase this limit.

AIX has similar limits. I don't know if they can be adjusted.

If the full sanitizer behaves really strangely (like trying to execute the email message itself as a program) then try the no-macro-scan version to see if system size limits may be the issue. Moving the perl script off the command line to a separate file will happen soon; once that is done, these limits will no longer present a problem, at the cost of having multiple files to maintain and update. (However, it may let us compile the perl script!)

If you get Program failure (141) of "perl -p -e '... whenever the sanitizer tries to scan a document for macros, you need to make sure that mktemp and mimencode are properly installed. Add this to your /etc/procmailrc file for debugging:

LOG=`type mktemp`
LOG=`type mimencode`

If you get "Word too long" errors, try adding "SHELL=/bin/sh" or "SHELL=/bin/ksh" to /etc/procmailrc before the call to html-trap.procmail - csh can't handle a command-line argument the size of the Perl script that's in the filter. The current version of the sanitizer now automatically uses sh if you have defaulted to using csh.

Do not put html-trap.procmail into /etc/procmailrcs/ as implied by the procmail man page. You'll get security errors from Perl about -e and setuid scripts if you do this. You may also have problems with filtering mail sent to root for this reason.

It looks like this perl script can be a bit of a memory hog on some systems. If you start getting "Out of memory" errors in your procmail log file, try adding

ulimit -d 15000;

:0 fw
| ulimit -d 15000; perl -p -e ' #\

Mirror hosting generously provided by:

• Martin at kanon.net
• Phillip Eviston <phillip at accessunited.com.au>
• Fuzzitech Internet Solutions - http://www.fuzzitech.net/
• Richard Kimsey at RubyRiver.com - the best steaks in Utah!
• Joshua Bernstein
• Einar Oftedal at oftedal.no
• Paul A. Franz at eucleides.com

$Id: sanitizer-download.html,v 1.58 2006-01-20 07:40:08-08 jhardin Exp jhardin $
Contents Copyright (C) 2006 by John D. Hardin - All Rights Reserved.