I figured it out, Just adding js to the banned extensions worked.

We just banned .js as mail attachments everwhere, no sane human would
probably send .js files as a mail attachment over a public mailserver!?
JC

I’m new to amavisd, how exactly would I add .js to the blacklist and will that work for .js files inside zips?

Like this:

[qr'.\.(js)$'ix => 1]

Assuming you have a zip extractor installed in your machine it will work inside zip files.

And where would I put that? And what sort of config is that? I’ve never seen any config file that put things inside square brackets…

Just a way of doing it. Here's the whole config I use for a rule named "Default" since I like to assign file rules to amavis rules which in turn I assign to particular users. The "=>1" part means block. For allow you would use "=>0" and I just learned the "i" means case insensitive and if you see an "x" it means ignore extra spaces in the regexp.

%banned_rules = (
'Default' => new_RE(
[qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll|rtf)\.?$'i => 1],
[qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i => 1],
[qr'^application/x-msdownload$'i => 1],
[qr'^application/x-msdos-program$'i => 1],
[qr'^application/hta$'i => 1],
[qr'.\.(exe)$'i => 1],
[qr'.\.(vbs)$'i => 1],
[qr'.\.(pif)$'i => 1],
[qr'.\.(scr)$'i => 1],
[qr'.\.(bat)$'i => 1],
[qr'.\.(cmd)$'i => 1],
[qr'.\.(com)$'i => 1],
[qr'.\.(cpl)$'i => 1],
[qr'.\.(rtf)$'i => 1],
[qr'^\.(exe-ms)$' => 1],
[qr'^\.(dll)$' => 1],
[qr'^\.(lha)$' => 1],
[qr'^\.(exe)$' => 1],
[qr'^\.(tnef)$' => 1],
[qr'^\.(cab)$' => 1]
),

Another way of doing if you are using a global config is like this, just add the "js" extension to the line below:

$banned_filename_re = new_RE(
qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl|rtf|js)$'i
);

The above regexp ".\.(exe|vbs|pif|scr|bat|cmd|com|cpl|rtf|js)$" will match any file name with the above extensions (Example test.exe, test.vbs etc...). You can test the regexp at http://www.regex101.com (make sure you take out the double quotes from both sides)

I changed this line in /etc/amavisd/amavisd.conf in section $banned_filename_re = new_RE(

qr'.\.(pif|scr)$'i, # banned extensions - rudimentary
to
qr'.\.(pif|scr|js)$'i, # banned extensions - rudimentary

then need to restart amavisd

Thanks.

I went with:

qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmf|wsc|wsf|wsh)$'ix, # banned extensions - long
qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename
qr'^\.ani$', # banned animated cursor file(1) type
qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerable.

Considering adding the MS-Office extensions as well, but I think postfix already bans those.