Dealing with Gmail’s attachment ‘security’

Blocked!

Blocked!

Ugh I’m sure I’m not the only one that has this issue.  So before google drive, and friends were a thing, gmail gave us 1GB of mail space (at the time why it was called ‘G’ mail).  And what better way to make files available between machines than to email them to yourself?

Well this worked for YEARS then they started to block some extensions, and now they block damned near everything.  From their ‘Learn more’

Some file types are blocked

As a security measure to prevent potential viruses, Gmail doesn’t allow you to send or receive executable files (such as files ending in .exe). Executable files can contain harmful code that might cause malicious software to download to your computer. In addition, Gmail doesn’t allow you to send or receive corrupted files, files that don’t work properly.

File types that can’t be sent or received

You can’t send or receive the following file types:

.ade, .adp, .bat, .chm, .cmd, .com, .cpl, .exe, .hta, .ins, .isp, .jar, .jse, .lib, .lnk, .mde, .msc, .msp, .mst, .pif, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh

Messages containing the types of files listed above will be bounced back and returned to the sender automatically. Gmail won’t accept these file types even if they’re sent in a zipped format. Here are some examples of zipped formats:

.zip, .tar, .tgz, .taz, .z, .gz, .rar

Well isn’t that great.  Of course when I’m uploading source I tend to include executables, custom batch scripts to either clean or prepare, and sometimes run whatever it is I’m doing. Perhaps libraries, jar’s and maybe even device drivers.

Thinking the email attachment had been lost I was looking to see if I can forward it, when I stumbled onto this interesting bit:

show original

The show original option!

This lets you view the email in it’s un- formatted state, which also includes the attachments!

So from here it’s a simple matter of saving the file to your hard disk.  It is important that you ONLY save the base64 portion not that headers.  I guess this is a pain for multiple attachments as b64 doesn’t read MIME containers.

If you look at an email it’ll roughly look like this:

MIME-Version: 1.0
Received: by 10.64.9.141 with HTTP; Tue, 29 Oct 2012 13:33:16 -0700 (PDT)
Date: Tue, 29 Oct 2012 13:33:26 +0800
Delivered-To: neozeed@gmail.com
Message-ID: <CA+rfG9Z-5Ej7iuXs36a_Lryqw+gs52GMUEFE9XPrSswjHRxXqw@mail.gmail.com>
Subject: doom?
From: Neozeed <n30z33d@gmail.com>
To: The Number One Guy <the_numberone_guy@gmail.com>
Content-Type: multipart/mixed; boundary=001a11c3b874d1eaf704e9dde937

--001a11c3b874d1eaf704e9dde937
Content-Type: multipart/alternative; boundary=001a11c3b874d1eaf204e9dde935

--001a11c3b874d1eaf204e9dde935
Content-Type: text/plain; charset=ISO-8859-1

Don't lose this file!

--001a11c3b874d1eaf204e9dde935
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Don't lose this file! =A0<div><br></div>

--001a11c3b874d1eaf204e9dde935--
--001a11c3b874d1eaf704e9dde937
Content-Type: application/octet-stream; name="DOOM_SRC_102813.7Z"
Content-Disposition: attachment; filename="DOOM_SRC_102813.7Z"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hncxub2b0

N3q8ryccAAPH+QLokKMEAAAAAAAkAAAAAAAAAKm3ezkABoLDcK0hSHl0xaeKFIsLY1Idc7MMQAtM
jDXWS9Sc5PvtvOmy27+byH8YZTOBY65JnEi5L9U41YDw53Wi1/xxpcR8Az8yIfc7DjQIT0ULtATL

We start the file at the ”
N3q8ryccAAPH+QLokKMEAAAAAAAkAAAAAAAAAKm3ezkABoLDcK0hSHl0xaeKFIsLY1Idc7MMQAtM

line.  I’m going to save it in notepad as “attachment.b64”

Now for the decoding!

I’m using b64, from sourceforge.  However you need an ‘older’ version 1.4 as the newer version has a decode bug.  Also

b64 -l76 -d attachment.b64 output.7z

And this will (blindly) decode the attachment.b64 into output.7z.  And from here you can extract the file without any issues.

As a bonus, if you have Outlook, you can just save the entire file as an .eml and open it in Outlook!

So easy!

So easy!

Also for Outlook 2003/2007 users you may have to use this registry alteration to have them support directly loading of .eml files.

Exchange 5.5 OWA vs Outlook 2003

ASP 0115

ASP 0115

error ‘ASP 0115’

Unexpected error

/exchange/USA/root.asp

A trappable error occurred in an external object. The script cannot continue running.

So, call me crazy, but I’ve been running an Exchange 5.5 server a home for a while without issues.  It’s perfect for a single user, I can keep up to 16GB worth of email on there, and best of all I can use real email clients like Outlook (or is it LookOut!?).  Anyways I noticed something weird which is that Outlook 2003 always is unsure if the server is there, and I have to tell it that it’s OK to connect.  Also once the Outlook 2003 client connects, it kills OWA, giving me these weird ASP 0115 Unexpected errors.

googling around for a fix was a bit futile, and I’d largely written off OWA, as in this day & age, who really wants some ASP 3.0 app?  But for some reason, today was going to be the day to fix it, as I don’t have Outlook on my macbook air.

So with the Outlook 2003 clue in mind I finally found KB-818709, aka “Outlook Web Access stops responding when you try to access a mailbox on an Exchange 5.5 computer”.

As the cause states:

This problem occurs when you try to access a user account that was previously accessed by a client computer that is running Microsoft Office Outlook 2003.

Outlook 2003 adds a fourth entry to the PR_FREEBUSY_ENTRYIDS property. PR_FREEBUSY_ENTRYIDS is a multi-valued MAPI property that is stored on the Inbox folder. CDO expects three entries. The unexpected fourth entry causes heap corruption that causes OWA or the third-party program to stop responding.

Well how about that?

So with the hotfix in hand, and a reboot, it now works perfectly, like it did back in 1997.  And the best part is that it works great in Chrome.

And for anyone crazy like me with Exchange 5.5, remember to install SP4, and of course the KB829436 hotfix!

Running Microsoft Exchange from home.

Well thanks to my latest outage, I’ve gone back from having an Exchange server in the “cloud” (well really a server I rented), to a Virtual Server at home.

First my ‘plan’ is to get a VPS that I can run OpenVPN on.  From there I’m going to build a VM at home that will also run OpenVPN, and it will connect to the VPS.  I will then setup routing, so that the Exchange server can then communicate with the VPS’s internal interface, and the VPS can communicate directly with the exchange server.  I’ll then configure postfix to store & forward email to the Exchange server.  This way if the link drops, the VPS will just spool the mail.  Finally I’ll setup SpamAssasin to filter out the SPAM.

First you will need to have a tun0 interface in your VPS.  Almost everyone supports this these days so it shouldn’t be too hard… If you cannot get a tun0 interface, perhaps ppp0 with pptp..?

I followed these instructions on setting up OpenVPN on Debian 6.  Now granted, I’m using Debian 7, but the instructions are pretty much the same.  Basically you have to setup a CA (Certificate Authority), and then you generate a Server certificate, and a client certificate.  For my needs, I’m going to issue single certificates for everything(one) that connects into my VPN.  I also have a network at home that I want routed to the VPS, so this is included (192.168.0.0/24).

A simple server.conf looks like this:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 192.168.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

And a the client configuration I’m using is this:

client
dev tun
proto udp
remote MYHOST MYPORT
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert hong-kong-home.crt
key hong-kong-home.key
ns-cert-type server
comp-lzo
verb 3

In the directory /etc/openvpn/ccd on the server, I have to ensure that I have a file called ‘homefw’ which is the common name of the client certificate.  It has to contain the following line to ensure that my home network is routed to the VPS.

iroute 192.168.0.0 255.255.255.0

Don’t forget to turn on ip forwarding on both the VPS, and the local ‘tunnel router’.  For Linux based stuff you need to make sure that “/proc/sys/net/ipv4/ip_forward ” is a 1.  You can just do a simple “echo 1 > /proc/sys/net/ipv4/ip_forward ” in “/etc/rc.local” or go through your distributions networking documentation to make sure you set it up ‘correctly’.

In OpenBSD I just simply uncomment the following line from /etc/sysctl.conf

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

If you don’t have routing in place you’ll notice that you can only ping the tunnel interfaces, but not the IP’s on the LAN.  While this may be fine for a p2p or client setup it isn’t good enough if you want to route traffic.

I’m running VMWare ESXi 5 at home, and thankfully it does support Windows NT 4.0 Server out of the box.  I setup a Domain Controller running DNS & WINS.  The VMWare tools won’t work properly with some service pack (4 I think?) but I went all the way to 6, along with the rollup.  Until you load the service pack, the network adapter will *NOT* work.

I’m going with Exchange 5.5, so again I installed another NT 4.0 server, service packed it, and joined it with the domain controller.  Remember to install IIS, and the ASP update, as 5.5 OWA needs asp. Be sure to apply the latest service pack for Exchange, SP4 – in the case of Exchange 5.5 .

Now for routing I could go with dynamic routing, or static routing.  I chose static as I didn’t want to get too involved for this project, as I needed to get email flowing as quickly as possible.

route add 10.8.0.1 mask 255.255.255.255 192.168.0.49 -p

From Windows NT.

It is imperative no matter what version of Exchange you run, that you turn off the open relay “feature”.  A great step by step guide is available here on msexchange.org .

With the basic routing in place you should be able to talk to the Exchange servers’ SMTP engine.  You may want to setup either a local DNS and populate the VPS’s source address or put in some host entries for it.

# telnet 192.168.0.55 25
Trying 192.168.0.55…
Connected to 192.168.0.55.
Escape character is ‘^]’.
220 exchange.superglobalmegacorp.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready
HELO
250 OK

Now it would be insane to place an Exchange server directly onto the internet.  Plus when the VPN link is down, it’d be nice to have the VPS store email and forward it when it can.  So for this task I installed postfix.

For me the big changes in main.cf were:

mydestination = nodedeploy.superglobalmegacorp.com, localhost.superglobalmegacorp.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.8.0.0/24 192.168.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relay_domains = superglobalmegacorp.com work.com
transport_maps = hash:/etc/postfix/transport
virtual_alias_domains = virtuallyfun.com
virtual_alias_maps = hash:/etc/postfix/virtual

This will permit my exchange server to relay out my VPS, and tell postfix that it’s OK to accept email for the various domains I have.

My transport database is very simple.  For the email accounts I’m using two domains, so I simply instruct postfix to forward emails destined to these domains to the exchange server

superglobalmegacorp.com smtp:192.168.0.55
work.com smtp:192.168.0.55

And for domains I couldn’t be bothered to create mailboxes for, instead I have their email setup to forward to an existing box using a virtual domain in the ‘virtual’ file.

abuse@virtuallyfun.com abuse@work.com
postmaster@virtuallyfun.com postmaster@work.com

Now due to the nature of postfix you need to generate database hashes for it to work, so my script to kick this off is:

postmap hash:/etc/postfix/transport
postmap /etc/postfix/virtual
newaliases
postfix reload

Which isn’t too involved once you get the bits in the right place.

Assuming you’ve got your MX records setup on the outside, with any luck you should start seeing some mail flow through.  If not telnet to port 25 and start talking to your mail server.

One problem I have is that superglobalmegacorp.com is an old domain, and it’s lapsed a few times to different idiots who not only added to the ridiculous spam lists I’m on, but also spammed from it as well.  So to deal with SPAM, I went ahead and installed spamassassin, as described in this page.

As mentioned adding the two lines to master.cf got it going

smtp inet n – – – – smtpd -o content_filter=spamassassin -o syslog_name=postfix/submission
spamassassin unix – n n – – pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

And I did change the spamassasin local.cf

use_razor2 1
use_dcc 1
use_pyzor 1

As I do get a lot of spam.

I don’t think most people will care, but this is more so for me keeping my notes straight.  So yeah I run Exchange 5.5 at home (which I got on ebay for $25!) with Outlook 2003 on Windows XP x64.  It works well enough for me.