github-personal/Mailu
1
0
Fork 0
mirror of https://github.com/outbackdingo/Mailu.git synced 2026-01-27 10:19:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge #2528

Browse Source 
2528: Implement #2510: oletools integration r=mergify[bot] a=nextgens

## What type of PR?

Feature

## What does this PR do?

OLETools now flags documents with macros and rejects suspicious ones. We also block executable file extensions by default (but don't perform inspection in archives: you can tell users to zip-up whatever needs sending).

### Related issue(s)
- closes #2510
- closes #2511

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
This commit is contained in:
bors[bot]
2022-12-22 16:14:19 +00:00
committed by GitHub
parent 8461a11ff4 6d87fa423c
commit 8d2bd6d9ff
36 changed files with 495 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/build_test_deploy.yml vendored
View File

@@ -394,7 +394,7 @@ jobs:
strategy:
fail-fast: false
matrix:
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "postfix", "dovecot", "unbound", "nginx"]
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"]
steps:
- uses: actions/checkout@v3
- name: Retrieve global variables
@@ -439,7 +439,7 @@ jobs:
strategy:
fail-fast: false
matrix:
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "postfix", "dovecot", "unbound", "nginx"]
target: ["setup", "docs", "fetchmail", "webmail", "admin", "traefik-certdumper", "radicale", "clamav", "rspamd", "oletools", "postfix", "dovecot", "unbound", "nginx"]
steps:
- uses: actions/checkout@v3
- name: Retrieve global variables

2
README.md
View File

@@ -22,7 +22,7 @@ Main features include:
- **Web access**, multiple Webmails and administration interface
- **User features**, aliases, auto-reply, auto-forward, fetched accounts
- **Admin features**, global admins, announcements, per-domain delegation, quotas
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/)
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/), block malicious attachments
- **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing
- **Freedom**, all FOSS components, no tracker included

1
core/base/Dockerfile
View File

@@ -27,6 +27,7 @@ ENV \
FRONT_ADDRESS="front" \
SMTP_ADDRESS="smtp" \
IMAP_ADDRESS="imap" \
OLETOOLS_ADDRESS="oletools" \
REDIS_ADDRESS="redis" \
ANTIVIRUS_ADDRESS="antivirus" \
ANTISPAM_ADDRESS="antispam" \

4
core/base/requirements-dev.txt
View File

@@ -45,6 +45,10 @@ watchdog
# core/postfix
postfix-mta-sts-resolver
# core/oletools
python-magic
oletools
# optional/fetchmail
requests

6
core/base/requirements-prod.txt
View File

@@ -41,6 +41,7 @@ MarkupSafe==2.1.1
marshmallow==3.18.0
marshmallow-sqlalchemy==0.28.1
multidict==6.0.2
oletools==0.60.1
mysql-connector-python==8.0.29
packaging==21.3
passlib==1.7.4
@@ -51,7 +52,10 @@ psycopg2-binary==2.9.5
pycares==4.2.2
pycparser==2.21
Pygments==2.13.0
pyparsing==3.0.9
pyOpenSSL==22.1.0
pyparsing==2.4.7
python-dateutil==2.8.2
python-magic==0.4.27
python-dateutil==2.8.2
pytz==2022.6
PyYAML==6.0

31
core/oletools/Dockerfile Normal file
View File

@@ -0,0 +1,31 @@
# syntax=docker/dockerfile-upstream:1.4.3
# oletools image
FROM base
ARG VERSION=local
LABEL version=$VERSION
RUN set -euxo pipefail \
; apk add --no-cache netcat-openbsd libmagic libffi \
; curl -sLo olefy.py https://raw.githubusercontent.com/HeinleinSupport/olefy/f8aac6cc55283886d153e89c8f27fae66b1c24e2/olefy.py \
; chmod 755 olefy.py
RUN echo $VERSION >/version
HEALTHCHECK --start-period=60s CMD echo PING|nc -q1 127.0.0.1 11343|grep "PONG"
EXPOSE 11343/tcp
USER nobody:nobody
ENV \
OLEFY_BINDADDRESS="0.0.0.0" \
OLEFY_BINDPORT="11343" \
OLEFY_OLEVBA_PATH="/app/venv/bin/olevba" \
OLEFY_PYTHON_PATH="/app/venv/bin/python3" \
OLEFY_TMPDIR="/dev/shm/" \
OLEFY_MINLENGTH="300" \
OLEFY_DEL_TMP="1" \
OLEFY_DEL_TMP_FAILED="1"
CMD /app/olefy.py

14
core/rspamd/conf/composites.conf Normal file
View File

@@ -0,0 +1,14 @@
{% if SCAN_MACROS == 'True' %}
OLETOOLS_MACRO_MRAPTOR {
expression = "(OLETOOLS_A & OLETOOLS_W) | (OLETOOLS_A & OLETOOLS_X) | (OLETOOLS_W & OLETOOLS_X)";
message = "Rejected (malicious macro - mraptor)";
policy = "leave";
score = 20.0;
}
OLETOOLS_MACRO_SUSPICIOUS {
expression = "OLETOOLS_FLAG | OLETOOLS_VBASTOMP | OLETOOLS_A";
message = "Rejected (malicious macro)";
policy = "leave";
score = 20.0;
}
{% endif %}

64
core/rspamd/conf/external_services.conf Normal file
View File

@@ -0,0 +1,64 @@
{% if SCAN_MACROS == 'True' %}
oletools {
# default olefy settings
servers = "{{ OLETOOLS_ADDRESS }}:11343"
# needs to be set explicitly for Rspamd < 1.9.5
scan_mime_parts = true;
extended = true;
max_size = 3145728;
timeout = 20.0;
retransmits = 1;
patterns {
OLETOOLS_MACRO_FOUND= '^.....M..$';
OLETOOLS_AUTOEXEC = '^A....M..$';
OLETOOLS_FLAG = '^.....MS.$';
OLETOOLS_VBASTOMP = '^VBA Stomping$';
# see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py
OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))\b|Auto_Ope\b';
OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)';
OLETOOLS_X = '(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|RUN|CALL|MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER|SetTimer)\b|(?:\bDeclare\b[^\n]+\bLib\b)';
}
# mime-part regex matching in content-type or filename
mime_parts_filter_regex {
#UNKNOWN = "application\/octet-stream";
DOC2 = "application\/msword";
DOC3 = "application\/vnd\.ms-word.*";
XLS = "application\/vnd\.ms-excel.*";
PPT = "application\/vnd\.ms-powerpoint.*";
GENERIC = "application\/vnd\.openxmlformats-officedocument.*";
}
# mime-part filename extension matching (no regex)
mime_parts_filter_ext {
doc = "doc";
dot = "dot";
docx = "docx";
dotx = "dotx";
docm = "docm";
dotm = "dotm";
xls = "xls";
xlt = "xlt";
xla = "xla";
xlsx = "xlsx";
xltx = "xltx";
xlsm = "xlsm";
xltm = "xltm";
xlam = "xlam";
xlsb = "xlsb";
ppt = "ppt";
pot = "pot";
pps = "pps";
ppa = "ppa";
pptx = "pptx";
potx = "potx";
ppsx = "ppsx";
ppam = "ppam";
pptm = "pptm";
potm = "potm";
ppsm = "ppsm";
slk = "slk";
}
}
{% endif %}

40
core/rspamd/conf/external_services_group.conf Normal file
View File

@@ -0,0 +1,40 @@
{% if SCAN_MACROS == 'True' %}
# local.d/external_services_group.conf
description = "Oletools content rules";
symbols = {
"OLETOOLS" {
weight = 1.0;
description = "OLETOOLS found a Macro";
one_shot = true;
},
"OLETOOLS_MACRO_FOUND" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_AUTOEXEC" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_FLAG" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_VBASTOMP" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_A" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_W" {
weight = 0.0;
one_shot = true;
},
"OLETOOLS_X" {
weight = 0.0;
one_shot = true;
},
}
{% endif %}

68
core/rspamd/conf/forbidden_file_extension.map Normal file
View File

@@ -0,0 +1,68 @@
ace
ade
adp
apk
appx
appxbundle
arj
bat
bin
cab
chm
class
cmd
com
cpl
diagcab
diagcfg
diagpack
dll
ex
ex_
exe
hlp
hta
img
ins
iso
isp
jar
jnlp
js
jse
lib
lnk
lzh
mde
msc
msi
msix
msixbundle
msp
mst
msu
nsh
ocx
ovl
pif
ps1
r01
r14
r18
r25
scr
sct
shb
shs
sys
vb
vbe
vbs
vbscript
vdl
vhd
vxd
wsc
wsf
wsh
xll

13
core/rspamd/conf/multimap.conf
View File

@@ -9,3 +9,16 @@ IS_LOCAL_DOMAIN_E {
selector = "from('smtp'):domain";
map = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/local_domains";
}
FORBIDDEN_FILE_EXTENSION {
type = "filename";
filter = "extension";
map = [
"/etc/rspamd/local.d/forbidden_file_extension.map",
];
prefilter = true;
action = "reject";
symbol = "FORBIDDEN_FILE_EXTENSION";
description = "List of forbidden file extensions";
message = "Forbidden attachment extension";
}

28
docs/antispam.rst
View File

@@ -155,3 +155,31 @@ For more information on using the multimap filter see the official `multimap doc
.. _`1438`: https://github.com/Mailu/Mailu/issues/1438
.. _`1167`: https://github.com/Mailu/Mailu/issues/1167
.. _`1566`: https://github.com/Mailu/Mailu/issues/1566
Can I change the list of authorized file attachments?
-----------------------------------------------------
Mailu rejects emails with file attachements it deems to be "executable" or otherwise dangerous. If you would like to tweak the block list, you can do so using the following commands:
.. code-block:: bash
docker-compose exec antispam cat /etc/rspamd/local.d/forbidden_file_extension.map > overrides/rspamd/forbidden_file_extension.map
docker-compose restart antispam
Now the file `overrides/rspamd/forbidden_file_extension.map` can be edited, to make changes to the forbidden file extensions list.
For the changes to take effect, rspamd must be restarted.
Mailu rejects emails with documents attached containing some macros. How can I fix it?
--------------------------------------------------------------------------------------
If configured to do so, Mailu uses a lightweight tool called `mraptor from oletools`_ to scan documents containing macros. By default only macros deemed potentially harmful are blocked, but there may be false positives. If you want to change the default behaviour, you may need to override the ``/etc/rspamd/local.d/composites.conf`` file in the antispam container. The following commands may be useful:
.. code-block:: bash
docker-compose exec antispam cat /etc/rspamd/local.d/composites.conf > overrides/rspamd/composites.conf
docker-compose restart antispam
Now the file `overrides/rspamd/composites.conf` can be edited, to override the mraptor configuration in rspamd.
For the changes to take effect, rspamd must be restarted.
.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor

6
docs/configuration.rst
View File

@@ -100,6 +100,12 @@ by setting ``INBOUND_TLS_ENFORCE`` to ``True``. Please note that this is forbidd
internet facing hosts according to e.g. `RFC 3207`_ , because this prevents MTAs without STARTTLS
support or e.g. mismatching TLS versions to deliver emails to Mailu.
The ``SCAN_MACROS`` (default: True) setting controls whether Mailu will endavour
to reject emails containing documents with malicious macros. Under the hood, it uses
`mraptor from oletools`_ to determine whether a macro is malicious or not.
.. _`mraptor from oletools`: https://github.com/decalage2/oletools/wiki/mraptor
.. _`RFC 3207`: https://tools.ietf.org/html/rfc3207
.. _fetchmail:

2
docs/index.rst
View File

@@ -28,7 +28,7 @@ Main features include:
- **Web access**, multiple Webmails and administration interface
- **User features**, aliases, auto-reply, auto-forward, fetched accounts
- **Admin features**, global admins, announcements, per-domain delegation, quotas
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, Snuffleupagus
- **Security**, enforced TLS, DANE, MTA-STS, Letsencrypt!, outgoing DKIM, anti-virus scanner, [Snuffleupagus](https://github.com/jvoisin/snuffleupagus/), block malicious attachments
- **Antispam**, auto-learn, greylisting, DMARC and SPF, anti-spoofing
- **Freedom**, all FOSS components, no tracker included

29
setup/flavors/compose/docker-compose.yml
View File

@@ -103,16 +103,40 @@ services:
- {{ dns }}
{% endif %}
{% if oletools_enabled %}
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-{{ version }}}
hostname: oletools
restart: always
networks:
- noinet
depends_on:
{% if resolver_enabled %}
- resolver
dns:
- {{ dns }}
{% endif %}
{% endif %}
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-{{ version }}}
hostname: antispam
restart: always
env_file: {{ env }}
{% if oletools_enabled %}
networks:
- default
- noinet
{% endif %}
volumes:
- "{{ root }}/filter:/var/lib/rspamd"
- "{{ root }}/overrides/rspamd:/etc/rspamd/override.d:ro"
depends_on:
- front
- redis
{% if oletools_enabled %}
- oletools
{% endif %}
{% if antivirus_enabled %}
- antivirus
{% endif %}
@@ -202,3 +226,8 @@ networks:
{% if ipv6_enabled %}
- subnet: {{ subnet6 }}
{% endif %}
{% if oletools_enabled %}
noinet:
driver: bridge
internal: true
{% endif %}

3
setup/flavors/compose/mailu.env
View File

@@ -58,6 +58,9 @@ WEBDAV={{ webdav_enabled or 'none' }}
# Antivirus solution (value: clamav, none)
ANTIVIRUS={{ antivirus_enabled or 'none' }}
# Scan Macros solution (value: true, false)
SCAN_MACROS={{ oletools_enabled or 'false' }}
###################################
# Mail settings
###################################

9
setup/templates/steps/compose/02_services.html
View File

@@ -55,6 +55,15 @@ the security implications caused by such an increase of attack surface.<p>
<i>Fetchmail allows users to retrieve mail from an external mail-server via IMAP/POP3 and puts it in their inbox.</i>
</div>
<div class="form-check form-check-inline">
<label class="form-check-label">
<input class="form-check-input" type="checkbox" name="oletools_enabled" value="true" checked>
Enable oletools
</label>
<i>Oletools scans documents in email attachements for malicious macros. It has a much lower memory footprint than a full-fledged anti-virus.</i>
</div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script type="text/javascript" src="{{ url_for('static', filename='render.js') }}"></script>

2
setup/templates/steps/config.html
View File

@@ -82,7 +82,7 @@ Or in plain english: if receivers start to classify your mail as spam, this post
manage your email domains, users, etc.</p>
<div class="form-group">
<input type="checkbox" name="admin_enabled" value="true" id="admin">
<input type="checkbox" name="admin_enabled" value="true" id="admin" checked>
<label>Enable the admin UI (and path to the admin UI)</label>
<input class="form-control" type="text" name="admin_path" id="admin_path" style="display: none">
</div>

10
tests/build.hcl
View File

@@ -34,6 +34,7 @@ group "default" {
"antispam",
"front",
"imap",
"oletools",
"smtp",
"webmail",
@@ -152,6 +153,15 @@ target "front" {
tags = tag("nginx")
}
target "oletools" {
inherits = ["defaults"]
context = "core/oletools/"
contexts = {
base = "target:base"
}
tags = tag("oletools")
}
target "imap" {
inherits = ["defaults"]
context = "core/dovecot/"

13
tests/compose/core/docker-compose.yml
View File

@@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@@ -96,3 +106,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

3
tests/compose/core/mailu.env
View File

@@ -65,6 +65,9 @@ WEBDAV=none
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

13
tests/compose/fetchmail/docker-compose.yml
View File

@@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@@ -103,3 +113,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

3
tests/compose/fetchmail/mailu.env
View File

@@ -65,6 +65,9 @@ WEBDAV=none
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

4
tests/compose/filters/01_email_test.sh
View File

@@ -1,6 +1,6 @@
python3 tests/email_test.py message-virus "tests/compose/filters/eicar.com"
python3 tests/email_test.py message-virus "tests/compose/filters/eicar.com.txt"
if [ $? -eq 99 ]; then
exit 0
else
exit 1
fi
fi

13
tests/compose/filters/03_email_macro.sh Executable file
View File

@@ -0,0 +1,13 @@
# Malicious macros should be blocked
# see https://github.com/clr2of8/VBAstomp and https://github.com/decalage2/oletools/wiki/mraptor
python3 tests/email_test.py message-macro-stomp "tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc"
if [ $? -ne 25 ]; then
exit 1
fi
# This does Auto_Open + Alert()
python3 tests/email_test.py message-autoexec-macro "tests/compose/filters/excel4_sample_macro.slk"
if [ $? -ne 25 ]; then
exit 1
fi
exit 0

BIN
tests/compose/filters/2003x32_word_msgbox_stomped_fakecode.doc Normal file
View File

Binary file not shown.

13
tests/compose/filters/docker-compose.yml
View File

@@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@@ -102,3 +112,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

0
tests/compose/filters/eicar.com → tests/compose/filters/eicar.com.txt
View File

68
tests/compose/filters/excel4_sample_macro.slk Normal file
View File

@@ -0,0 +1,68 @@
ID;PWXL;N;E
P;PGeneral
P;P0
P;P0.00
P;P#,##0
P;P#,##0.00
P;P#,##0;;\-#,##0
P;P#,##0;;[Red]\-#,##0
P;P#,##0.00;;\-#,##0.00
P;P#,##0.00;;[Red]\-#,##0.00
P;P#,##0\ "$";;\-#,##0\ "$"
P;P#,##0\ "$";;[Red]\-#,##0\ "$"
P;P#,##0.00\ "$";;\-#,##0.00\ "$"
P;P#,##0.00\ "$";;[Red]\-#,##0.00\ "$"
P;P0%
P;P0.00%
P;P0.00E+00
P;P##0.0E+0
P;P#" "?/?
P;P#" "??/??
P;Pdd/mm/yyyy
P;Pdd\-mmm\-yy
P;Pdd\-mmm
P;Pmmm\-yy
P;Ph:mm\ AM/PM
P;Ph:mm:ss\ AM/PM
P;Phh:mm
P;Phh:mm:ss
P;Pdd/mm/yyyy\ hh:mm
P;Pmm:ss
P;Pmm:ss.0
P;P@
P;P[h]:mm:ss
P;P_-* #,##0\ "$"_-;;\-* #,##0\ "$"_-;;_-* "-"\ "$"_-;;_-@_-
P;P_-* #,##0_-;;\-* #,##0_-;;_-* "-"_-;;_-@_-
P;P_-* #,##0.00\ "$"_-;;\-* #,##0.00\ "$"_-;;_-* "-"??\ "$"_-;;_-@_-
P;P_-* #,##0.00_-;;\-* #,##0.00_-;;_-* "-"??_-;;_-@_-
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;FCalibri;M220;L9
P;ECalibri;M220;L9
P;ECalibri Light;M360;L55
P;ECalibri;M300;SB;L55
P;ECalibri;M260;SB;L55
P;ECalibri;M220;SB;L55
P;ECalibri;M220;L18
P;ECalibri;M220;L21
P;ECalibri;M220;L61
P;ECalibri;M220;L63
P;ECalibri;M220;SB;L64
P;ECalibri;M220;SB;L53
P;ECalibri;M220;L53
P;ECalibri;M220;SB;L10
P;ECalibri;M220;L11
P;ECalibri;M220;SI;L24
P;ECalibri;M220;SB;L9
P;ECalibri;M220;L10
P;ESegoe UI;M200;L9
F;P0;DG0G8;E;M292
B;Y2;X1;D0 0 1 0
O;L;E;D;V0;K47;G100 0.001
F;W1 1 17
F;W2 16384 9
NN;NAuto_Open;ER1C1
C;Y1;X1;KFALSE;EALERT("This is a sample Excel 4 macro")
C;Y2;KTRUE;EHALT()
E

3
tests/compose/filters/mailu.env
View File

@@ -65,6 +65,9 @@ ANTIVIRUS=clamav
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

13
tests/compose/webdav/docker-compose.yml
View File

@@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@@ -103,3 +113,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

3
tests/compose/webdav/mailu.env
View File

@@ -65,6 +65,9 @@ WEBDAV=radicale
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

13
tests/compose/webmail/docker-compose.yml
View File

@@ -65,10 +65,20 @@ services:
depends_on:
- front
oletools:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-local}
hostname: oletools
restart: always
networks:
- noinet
antispam:
image: ${DOCKER_ORG:-mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-local}
restart: always
env_file: mailu.env
networks:
- default
- noinet
volumes:
- "/mailu/filter:/var/lib/rspamd"
- "/mailu/dkim:/dkim"
@@ -104,3 +114,6 @@ networks:
driver: default
config:
- subnet: 192.168.203.0/24
noinet:
driver: bridge
internal: true

3
tests/compose/webmail/mailu.env
View File

@@ -65,6 +65,9 @@ WEBDAV=none
#Antispam solution
ANTISPAM=none
# Scan Macros solution (value: true, false)
SCAN_MACROS=True
###################################
# Mail settings
###################################

1
towncrier/newsfragments/2510.feature Normal file
View File

@@ -0,0 +1 @@
Implement OLETools and block bad macros in office documents

1
towncrier/newsfragments/2511.misc Normal file
View File

@@ -0,0 +1 @@
Block executable file formats by default. Ask your users to zip them up if required.