Do you have the mail antivirus app installed from the marketplace? If so, you can find its configuration in your Webconfig under Server>Messaging>Mail Antivirus>Settings and then look under the documents heading and untick docx and xlxs, then click on "update".

I had a look at the /etc/amavisd.conf file but couldn't see anything that referred to _rels so I guess I may be looking in the wrong place.

Your banned extensions would appear in /etc/amavisd/api.conf at any rate. Any changes in there and you would want to restart the service.

systemctl restart amavisd.service

Dirk Albring wrote:

Do you have the mail antivirus app installed from the marketplace? If so, you can find its configuration in your Webconfig under Server>Messaging>Mail Antivirus>Settings and then look under the documents heading and untick docx and xlxs, then click on "update".

I had a look at the /etc/amavisd.conf file but couldn't see anything that referred to _rels so I guess I may be looking in the wrong place.

Your banned extensions would appear in /etc/amavisd/api.conf at any rate. Any changes in there and you would want to restart the service.

systemctl restart amavisd.service

Dirk,
Thanks for your help. In the "Documents" section I don't have ticks on:
doc
docx
xls
xlsx

I do have ticks on:
docm
dotm
xlsm

Could it be the macro enabled ones that are somehow picking up docx and xlsx as well?

Graham Sivill

Can you also check if you allow zip files? I think the M$ files are really zipped xml files and that used to be an issue many moons ago.

Nick Howitt wrote:

Can you also check if you allow zip files? I think the M$ files are really zipped xml files and that used to be an issue many moons ago.

Nick,

We do block .zip files as they are mostly infected with malware, allowing this through would be dangerous.
I thought the system was just looking at the extension not the internal contents?

Graham Sivill

Yep, docm and xlsm are docx and xlsx files, but with macros enabled. Won't hurt to try it.

Dirk Albring wrote:

Yep, docm and xlsm are docx and xlsx files, but with macros enabled. Won't hurt to try it.

Dirk,
I unticked:

dotm
docm
xlsm

I then updated Banned File Extensions and then stopped and restarted the mail antivirus daemon and then sent the email and again I get:

BANNED CONTENTS ALERT

Our content checker found
banned name: _rels

So I don't think this is the answer. I will put them back and then do as Nick suggested allow Zip extension and see if that works?

Graham Sivill

Nick Howitt wrote:

Can you also check if you allow zip files? I think the M$ files are really zipped xml files and that used to be an issue many moons ago.

Nick,

I took zip files out of the banned list and sure enough the xlsx and docx files did not get bounced.
The issue I have now is wanting to stop zip files getting through as a large number we get are malicious.
I could write rules that send emails with zips to the junk folder, luckily we don't have many users.

Thanks for your advice, at least I can solve the immediate problem, but I will need to figure how to avoid malware infected zips.

Graham Sivill

I've tried banning just zip files and then sending emails with both zip and docx attachments and the emails with zip get banned by amavis, but the emails with docx is sent out. Have you looked through your maillog log and seen if your emails with docx attachments are being banned? Mine show up as passed clean.

Dirk Albring wrote:

I've tried banning just zip files and then sending emails with both zip and docx attachments and the emails with zip get banned by amavis, but the emails with docx is sent out. Have you looked through your maillog log and seen if your emails with docx attachments are being banned? Mine show up as passed clean.

Dirk,

So far I have only tested it using xlsx files which do now send and receive without being blocked.
I will send a docx from an external account to an internal recipient and see if that now gets through.

Graham Sivill

Dirk,

I just sent a docx attachment from an external account and that got through as well.

So my issue is solved and it was allowing .zip files in the content filter that did it.

I find that quite unintuitive as I had always thought the "banned file extensions" part of Mail Antivirus was just that, it was filtering based on the attachment extension. It now appears not to be the case and the filtering is being done on the internal format of the attached files. I think this needs to be made clear in the Mail Antivirus label text or as a tooltip when you hover over the Setting section as it reads like we are just filtering on the extension when in fact it's much cleverer than that!

Graham Sivill