Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Version 3.6.1

Build Status

Changelog 3.6.1:

  • Fix for tmp filehandle error
  • Add new config option for dumping the mail body for forensics

Changelog 3.6:

  • fixing multiple issues and bugs (#41 , #38, #37, #35, #31, #30)
  • Add MIME header for the different stages.
  • The hash db is updated to SHA256 instead of MD5. Old MD5 hashes still supported.


I need some code review and help to make this milter better! If you find some bugs or the code is "creepy" -> feel free to contribute :) To contribute, please fork this repository and make pull requests to the master or testing branch.


master = production grade and tested implementation

testing = only for testing and non-prod. environments


This python based milter for the Sendmail and Postfix e-mail servers (mail-filter) checks an incoming mail for MS 20xx Office attachments. If a MS Office file is attached to the mail it will be scanned for suspicious VBA macro code. Documents with malicious macros are removed and replaced by harmless text files or will be rejected to the sender (see config.ini).

Supported Office formats:

  • Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
  • Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
  • PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm)
  • Word 2003 XML (.xml)
  • Word/Excel Single File Web Page / MHTML (.mht)
  • Publisher (.pub)

Paper (german only) -> download link

Video / Talk (german only) -> HdM-events

Chemnitzer Linux Tage 2018 - Talk -> CLT2018

The repo is optimized for Visual Studio


  • Parsing VBA macros for suspicious code and function calls
  • Uses the milter interface at postfix and sendmail
  • Easy to implement
  • Not based on virus heuristics (high detection rate)
  • Whitelisting
  • Creates a hashtable for already scanned files (prevents rescans)
  • Runs at the pre-queue at postfix


This milter use the functionality from the oletools ( and pymilter ( projects.


Debian and Ubuntu

Download the "" script from the repo - It creates and downloads all required files and packages. Please use for Ubunut 14.10 and higher the "old" systemd script part! For 14.0x and older please use the upstart part!


dnf install macromilter
systemctl enable --now macromilter.service

postconf -e smtpd_milters=inet: milter_default_action=accept
systemctl reload postfix.service

Red Hat Enterprise Linux and CentOS

yum install epel-release  # Only if EPEL is not already enabled

yum install macromilter
systemctl enable --now macromilter.service

postconf -e smtpd_milters=inet: milter_default_action=accept
systemctl reload postfix.service

User whitelist

To allow a user or whole domain to send false-positive VAB-Macro-Mails, enter only the user mail address ( or the domain ( See config.ini for more details.

Macro whitelist

To allow only a special and wellknown macro code, add the SHA256 hash to the Macrohash part in the configuration file. You will find the raw macro hash in the macromilter log file INFO [ID] The macro hash is: <the sha256 value>. Please use only this one! Keep in mind, that the file hash has also to be deleted form the "hashdatabse".


  • Config-File error handling
  • HTML-Dashboard
  • Setup-package for pip


Stephan Traub - Sbidy ->

Robert Scheck - robert-scheck ->


Philippe Lagadec - oletools

Stuart D. Gathman - pymilter


The MIT License (MIT)


This python based milter (mail-filter) checks an incoming mail for suspicious VBA macro code in MS 20xx Office attachments (doc, xls, ppt ...).







No packages published