=============================================================================
 NOTE:  The following text discusses how to install the Anomy Mail Sanitizer
 for use with Postfix.  It was contributed by Patrick Duane Dunston
 <duane@duane.yi.org>, with help from Bill Kenworthy. -- bre
=============================================================================

##########POSTFIX AND ANOMY##############

1.  Download the latest MIME-BASE64.xxx.xxx.tar.gz tarball from
www.cpan.org.  It contains the modules required for Anomy.

2.  Install it.

tar xzvf MIME-BASE64.xxx.xxx.tar.gz
cd MIMI-BASE64.xxx.xxx
perl Makefile.PL
make
make test
make install

3.  Untar the anomy tarball

Follow the documentation on the website to test the installation of the
Perl Module

4.  Add the following to /etc/procmailrc

#________________________________
# Procmail filter rules for sanitizing email and then resending it.
# Uncomment the following lines to enable logging or verbose logging.
#VERBOSE=yes
#LOGFILE=/var/log/procmail-sanitizer.log

:0 c
  /home/mail-backup

ANOMY=/usr/local/anomy/
:0 fw
   |/usr/local/anomy/bin/sanitizer.pl /etc/sanitizer.cfg
#________________________________


5.  Add the following to the /etc/sanitizer.cfg file.

# Active features.
#
  feat_boundaries     = 0
  feat_files          = 1
  feat_forwards       = 1
  feat_html           = 1
  feat_lengths        = 1
  feat_log_inline     = 1
  feat_log_stderr     = 0
  feat_scripts        = 1
  feat_trust_pgp      = 0
  feat_uuencoded      = 1
  feat_verbose        = 1
  file_list_rules     = 4
  #
  # Note:  This directory must exist and be writable by
  # the user running the sanitizer.
  #
  file_name_tpl       = /var/quarantine/att-$F-$T.$$

  # Files we absolutely don't want (mostly executables).
  #
  file_list_1_scanner = 0
  file_list_1_policy  = save
  file_list_1         = (?i)(winmail\.dat
  file_list_1        += |\.(exe|vb[es]|c(om|hm)|bat|pif|s(ys|cr))
  file_list_1        += (\.g?z|\.bz\d?)*)$

  # Pure data, don't mangle this stuff (much).

#

  file_list_2_scanner = 0
  file_list_2_policy  = accept
  file_list_2         =
(?i)\.(gif|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx)|bmp
  file_list_2        += |mp[32]|wav|au|ram?
  file_list_2        += |avi|mov|mpe?g
  file_list_2        += |t(xt|ex)|csv|l(og|yx)|sql|jtmpl
  file_list_2        += |[ch](pp|\+\+)?|s|inc|asm|pa(tch|s)|java|php\d?
  file_list_2        += |[ja]sp|xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
  file_list_2        += |class|upd|wp\d?|m?db
  file_list_2        += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
  file_list_2        += |can|pos|ux|reg|kbf|xal|\d+)(\.g?z|\.bz\d?)*$

  file_list_3_scanner = 0
  file_list_3_policy  = accept
  file_list_3         = ^[^\.]+$

  # Default policy: accept, but mangle file name.
  #
  file_default_policy = defang

6.  Edit the Postfix main.cf file (usually /etc/postfix/main.cf) and add
the following directives:

mailbox_command = /usr/bin/procmail
mailbox_command = /usr/bin/procmail -a "$EXTENSION" -p /etc/procmailrc


7.  Refresh postfix:

/usr/sbin/postfix reload

8.  Create a file with a .vbs extension or any other that you are denying.
This is also a good way to test new rules added later.

/bin/touch test.vbs

and email that to yourself on your local system, you don't need anything
in the file.

check the output of /var/log/maillog

This is what I see on my system.

Apr 30 16:09:51 mail postfix/local[22733]: 1F98965C93:
to=<me@myhost.com>, relay=local, delay=0, status=sent
("|/usr/bin/procmail -a "$EXTENSION" -p /etc/procmailrc")

If all goes well when you receive the email your attachment should be
mangled.


SIDE NOTE::  If your /etc/sanitizer.cfg file doesn't seem to work properly
from the sample above, comment out the /etc/sanitizer.cfg part of the
/etc/procmailrc file.  Just let the buitin configurations from the
sanitizer.pl script run and see if it mangles the email.  If so, then
there is something wrong with the /etc/sanitizer configuration.

Like this (don't comment out the whole line, just the /etc/sanitizer.cfg
part):

:0 c
  /home/mail-backup

ANOMY=/usr/local/anomy/
:0 fw
   |/usr/local/anomy/bin/sanitizer.pl #/etc/sanitizer.cfg


The sanitizer.pl perl script that runs anomy can do good protection right
out of the box.

