# anomy-secure.conf
#
# Higher security example config file for Anomy Sanitizer. 
#
# From http://advosys.ca/papers/postfix-filtering.html
# Advosys Consulting Inc., Ottawa
#
# - Defangs MIME, web bugs and message/partial MIME types
# - Forces all attachments to have file names 
# - Removes all known MS Windows "Executable" file types
# - Leaves MS Office and graphics files untouched
# - Looks for file types anywhere in file name, not just 
#    at the end (To defeat Outlook express "middle extension" 
#    bug: http://www.theregister.co.uk/content/56/29137.html
# - Renames everything else (to defeat whatever next "executable" 
#   file type is discovered to exist in Windows/Outlook/Exchange)
#
#             **WARNING* *WARNING* *WARNING** 
#    The above rules defeat many known and unknown malware but
#    is DANGEROUS unless you have a downstream antivirus product
#    that can detect macro viruses and executables embedded in 
#    MS Office documents (like Word or PowerPoint files).
#             **WARNING* *WARNING* *WARNING** 
#

# Do not log to STDERR:
feat_log_stderr = 0
feat_log_xml = 0

# Don't insert log in the message itself:
feat_log_inline = 0

# Advertisement to insert in each mail header:
header_info = X-Sanitizer: Advosys mail filter
header_url = 0
header_rev = 0

# Enable filename based policy decisions:
feat_files = 1

# Protect against buffer overflows and null values:
feat_lengths = 1

# Replace MIME boundaries with our own:
feat_boundaries = 1

# Fix invalid and ambiguous MIME boundaries, if possible:
feat_fixmime = 1

# Trust signed and/or encrypted messages:
feat_trust_pgp = 0
msg_pgp_warning = WARNING: Unsanitized content follows.\n

# Defang shell scripts:
feat_scripts = 1

# Defang active HTML:
feat_html = 1

# Disable web bugs:
feat_webbugs = 1

# Defang UUEncoded files:
feat_uuencoded = 1

# Sanitize forwarded content too:
feat_forwards = 1

# Testing? Set to 1 for testing, 0 for production:
feat_testing = 0

# # Warn user about unscanned parts, etc.
feat_verbose = 1

# Force all parts (except text/html parts) to
# have file names.
feat_force_name = 1

# Disable message/partial MIME types:
feat_no_partial = 1

# Disable "score" based mail discarding:
score_panic = 0
score_bad = 0

##
## File attachment name mangling rules:
##

file_name_tpl       = /var/spool/filter/$F-$T.$$

# Number of rulesets we are defining:
file_list_rules = 4
file_default_policy = defang

# Delete obviously nasty attachments:
file_list_1 = (?i)(winmail\.dat)|
file_list_1 += (\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|inf|ins|isp|dll|drv|msi|cmd|sc[rt]|sys|bat|pif|lnk
file_list_1 += |hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|htt|hta|mht|url|exe|ws[cfh]|ops
file_list_1 += |mim|uue|uu|b64|bhx|hqx|xxe))\s*
file_list_1_policy = drop
file_list_1_scanner = 0

# Don't touch "harmless" file types and those that are
# scanned by your organization's downstream virus scanner:
file_list_2 = (?i)\.
#  Word processors and document formats:
file_list_2 += (doc|dot|txt|rtf|pdf|ps|htm|[sp]?html?
#  Spreadsheets:
file_list_2 += |xls|xlw|xlt|csv|wk[1-4]
#  Presentation applications:
file_list_2 += |ppt|pps|pot
#  Bitmap graphics:
file_list_2 += |jpe?g|gif|png|tiff?|bmp|psd|pcx
#  Vector graphics and diagramming:
file_list_2 += |vsd|drw
#  Multimedia:
file_list_2 += |mp3|avi|mpe?g|mov|ram?
#  Archives:
file_list_2 += |zip|g?z|tgz|bz2|tar
#  Uncompiled code:
file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)\s*$
file_list_2_policy = accept
file_list_2_scanner = 0