what is olefy

uniquegch

I am not sure what olefy is. seems it has something to do with rspamd?

accolon

olefy makes it possible to use oletools with rspamd. oletools are mainly used to analyze Microsoft Office files.

uniquegch

Hello accolon, thanks for your reply and quick description. That applies for office files being an attachment coming in or send out? Would that also apply for “office” files generated with OpenOffice, Libreoffice?
At this point I do not see the need for my setup (personally). please correct me if I am wrong. Always happy to learn something new (even for an old dog like me).

accolon

Since oletools specifically targets the MS OLE2 file format, I suppose it’s for macros in MS Office only.

In mailcow, it’s configured in extended mode, see also the rspamd docs.

However, mailcow only seems to use oletools to detect the presence of macros in office documents, not using the separate flags returned.

As you can see here, only inbound and unauthenticated (i.e. externally sent) mails are scored:
composites.conf, line 29 ff.

I’m not sure if I ever received an email with an MS Office document containing macros either, but it’s probably not worth the time messing around with this feature since it’s already there and working fine.

esackbauer

Its not only for macros but also - and that is important! - for embedded files in office documents. OLE means “object linking and embedding”. So a malicious picture, URL or PDF embedded in an office document. That means mails in .eml format as well.

I don’t get why people choose mailcow, and then want switch off things they think they don’t use or need. There are more lean mailserver stacks if you want to achieve that.
Deactivating olefy might break mailcow, maybe not immediately, but sure enough during an upgrade.

accolon

esackbauer Its not only for macros but also - and that is important! - for embedded files in office documents. OLE means “object linking and embedding”. So a malicious picture, URL or PDF embedded in an office document.

You’re right, I didn’t differentiate clearly enough between the possibilities of oletools and the way rspamd uses it, as described here:
https://rspamd.com/doc/modules/external_services.html#oletools-specific-details

For the default mode, it says:
“Oletools is an excellent Python module for scanning and analyzing office documents containing macros. Macro-viruses typically use an auto-exec function to load when the document is opened, as well as functions for executing code in a shell or saving files to the system. Oletools classifies harmful functions as either AutoExec or Suspicious. In the default mode, the Oletools module sets the result when at least one AutoExec and one Suspicious function are used.”

And for extended mode (used by mailcow):
“In extended mode, the oletools module does not trigger on specific categories but always sets a threat string with all the found flags whenever a macro is detected.”

The flags all seem to be macro-related.

So if I see this correctly, rspamd (and therefore mailcow) uses oletools via olefy only to look for macros.

uniquegch

Hello accolon, thanks for your posts. that is good information helping me understading this topic better.