I occasionally have a client who tries to email me and says his email gets blocked by my server. When I check the logs, I see this:
Sep 6 18:12:52 myers amavis[15197]: (15197-08) p.path BANNED:1 [email protected]: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/ms-tnef,T=tnef,N=winmail.dat | P=p004,L=1/2/1,T=image,T=gif,N=image001.gif,N=image001.gif", matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"
And then a little later...
Sep 6 18:12:58 myers amavis[15197]: (15197-08) Blocked BANNED (.image,.gif,image001.gif,image001.gif), [213.199.154.205] [157.56.236.229] <[email protected]> -
, quarantine: banned-g4QhZGvwJvDF, Message-ID <6A9596BE385EC1499F83E464FA9ECCA20C668320@BY2PRD0611MB417.namprd06.prod.outlook.com>, mail_id: g4QhZGvwJvDF, Hits: -, size: 20916, 8439 ms`
From this and the bounce that he forwards me (to a different address I give him), I determine that its bouncing because of the file in his signature (image001.gif). However, that does NOT match the "key" in this part of the log:
matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"
Furthermore, the .gif extension is nowhere to be found in the /etc/amavisd.conf file (i.e. I'm not blocking emails because they contain .gif images).
Am I missing something here? This is strange... and annoying.
Have a look at the file, maybe the content is something else, amavis is using 'file' to look in the content what content-type it is.
Final conclusion after getting advice from Båt Karl Patrik Andersson
The "blocked anywhere" directive included this line:
I reexamined the logs, bounce messages, and the info I pasted into this question, and saw a consistent theme: they all contained something with a
.tnefextension.I researched it, and it turns out its coming from Microsoft Outlook, and was considered a potential security vulnerability. I'm researching now how "unsafe" it would be for me to turn it off, but in the mean time, I have done so.