MS+Postfix, Selective HOLD

Hugo van der Kooij hvdkooij at
Sat Apr 12 07:56:50 IST 2008

Hash: SHA1

Glenn Steen wrote:
| On 06/04/2008, Hugo van der Kooij <hvdkooij at> wrote:
|>  Hash: SHA1
|>  Hi,
|>  I have been trying to get my head around this question before. I find
|>  that I have a scalability problem that I could resolve if I can put
|>  messages on HOLD for MS to pickup only if it is not for a certain
|> recipient.
|>  There is one recipient that goes straight into a procmail parser to
|>  extract specific information. There is no need to fire up the whole MS
|>  circus for each message. This is an automated system that will get 1
|>  message per monitored SMTP server per minute.
|>  The normal config is:
|>  #       Do some header checks
|>  #       This includes setting almost anything on hold for MailScanner to
|>  pick up
|>  header_checks = regexp:/etc/postfix/regexp/header-checks
|>  So I have tried a number of setups. Most of them failed miserably.
|>  This morning I woke up whith what seems to be the answer so I gave it a
|>  spin and here are my findings.
|>  What does work is at the end of my smtpd checks add a table to list
|>  explicit addresses to scan. In the it looks like:
|>  #       Access rules
|>  smtpd_client_restrictions =
|>  ~        permit_mynetworks,
|>  ~        permit_sasl_authenticated,
|>  ....Long list removed.......
|>  ~        reject_unauth_destination,
|>  ~        check_recipient_access
|> hash:/etc/postfix/hash/valid-recipients
|>  And the hash tables explicit lists everyone for whome MS should be
|>  called upon. Like:
|>  hugo at            HOLD
|>  hvdkooij at        HOLD
|>  (I know putting email in the clear scares some people. But if you ever
|>  see a Megalist without these two then do not buy it. ;-)
|>  But the drawback is it only works for a simple setup at home with only a
|>  moderate list of recipients. And where you actually know all the
|> recipients.
| Actually... If you (as ) already use the relay_recipient_map thing,
| it'd be trivial to rewrite the script that generates the
| relay_recipient_map to also do an access_map...:).
|  But then again...
|>  But if you want to have just a few exceptions then you better use
|>  regular expressions.
|>  So replace:
|>  check_recipient_access
|> hash:/etc/postfix/hash/valid-recipients
|>  with:
|>  check_recipient_access
|> regexp:/etc/postfix/regexp/MailScanner
|>  With /etc/postfix/regexp/MailScanner looking like:
|>  #
|>  #        header_checks - Postfix built-in header/body inspection
|>  #
|>  /exclusion at test\.example\.net/          OK
|>  #       Everyone else will go through MailScanner!
|>  /.*/                                    HOLD
|>  #       EOF
|>  This does the trick for me. It might work for others.
| This would be a better replacement for the header check thing, in
| cases where you'd like to be selective. Thanks for thinking it up, and
| sharing.

Sharing is what make OS so much stronger.

But I have found an issue I am not able to pinpoint yet. Every email to
my postmaster seems to bypass MailScanner as well. I have grepped my
config files untill my fingers grew tired. But I have no postmaster
exception in postfix anywhere. Nor do I have one in MailScanner.

Is there an buildin option of postfix I am missing here?

~ --- postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/regexp/header-checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail -Y
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname,    $testdomains,,,        localhost.$mydomain,    localhost.localdomain,
mydomain =
myhostname =
mynetworks =, [2001:960:2:595::2]/128,
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = no
smtpd_banner = $myhostname ESMTP The sending of unsollicited bulk or
commercial email will be regarded as criminal activities. All traffic is
logged and violations will be handled under criminal and/or civil law.
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,      check_sender_access
hash:/etc/postfix/hash/whitelist,   check_client_access
cidr:/etc/postfix/cidr/blacklist-networks,  check_client_access
cidr:/etc/postfix/cidr/spamhaus-droplist,        check_recipient_access
hash:/etc/postfix/hash/recipients,       check_client_access
hash:/etc/postfix/hash/blacklist,   check_sender_access
hash:/etc/postfix/hash/blacklist,   check_client_access
hash:/etc/postfix/hash/dynamic-blacklist,        check_client_access
regexp:/etc/postfix/regexp/dynamic-networks,        check_sender_access
hash:/etc/postfix/hash/spamlist,    reject_non_fqdn_hostname,
reject_non_fqdn_recipient,      reject_non_fqdn_sender,
reject_unknown_sender_domain,   reject_invalid_hostname,
reject_unverified_recipient,    reject_rbl_client,     reject_rbl_client,   reject_rbl_client,    reject_rbl_client,      reject_rbl_client,
reject_rbl_client,        reject_rbl_client,     reject_rbl_client,
reject_unauth_destination,   check_recipient_access
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname,       reject_unknown_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,      reject_unauth_destination
smtpd_restriction_classes = work_MS,    reject_RFC,     reject_auto,
reject_auto_virus,      reject_domain,  reject_dynamic, reject_infected,
~       reject_spam,    reject_user,    whitelist_select
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/
smtpd_tls_key_file = /etc/ssl/
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/hash/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/hash/virtual-domains

~ --- MailScanner -c
Option Name                        Default        Current Value
addenvelopetoheader                no             yes
alwaysincludespamassassinreport    no             yes
alwayslookeduplast                 no             FUNCTION:MailWatchLogging
attachmentextensionsnottozip       .zip .rar .gz .tgz .mpg .mpe .mpeg
.mp3 .rpm .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm
.html .eml
attachmentwarningfilename          VirusWarning.txt
clamavfullmessagescan              no             yes
clamdsocket                    /tmp/clamd
cleanheadervalue                   Found to be clean No virus detected
contentsubjecttext                 {Dangerous Content?} [MODIFIED]
disarmedsubjecttext                {Disarmed}     [DISARMED]
disinfectedheadervalue             Disinfected    Virus removed
enablespambounce                   no             RULESET:Default=no
envelopefromheader                 X-MailScanner-Envelope-From:
envelopetoheader                   X-MailScanner-Envelope-To:
filenamesubjecttext                {Filename?}    [STRIPPED]
highscoringspamactions             deliver header "X-Spam-Status: Yes" store
highscoringspamsubjecttext         {Spam?}        [SPAM:_SCORE_]
highspamassassinscore              10             6
hostname                           the MailScanner the VANDERKOOIJ
( MailScanner
ignoredwebbugfilenames                            spacer pixel.gif
pixel.png gap
incomingqueuedir                   /var/spool/
infectedheadervalue                Found to be infected Virus detected
informationheadervalue             Please contact the ISP for more
information If you see this line then you have found the headers. Use
them wisely!
isdefinitelynotspam                no             FUNCTION:SQLWhitelist
isdefinitelyspam                   no             FUNCTION:SQLBlacklist
keepspamandmcparchiveclean         no             yes
logdangeroushtmltags               no             yes
lognonspam                         no             yes
logsilentviruses                   no             yes
logspam                            no             yes
mailheader                         X-MailScanner: X-VANDERKOOIJ-MailScanner:
mailscannerversionnumber           1.0.0          4.66.5
maxchildren                        5              1
maximummessagesize                 0              RULESET:Default=0
maxspamassassinsize                30000          40k
maxspamchecksize                   150000         250000
mcpheader                          X-MailScanner-MCPCheck:
mcpmaxspamassassinsize             100000         100k
monitorsforclamavupdates           /usr/local/share/clamav/*.cvd
/var/clamav/*.inc/* /var/clamav/*.cvd
monitorsforsophosupdates           /usr/local/Sophos/ide/*.zip
mta                                sendmail       postfix
nonspamactions                     deliver header "X-Spam-Status: No"
store deliver header "X-VANDERKOOIJ-SPAM: NO"
noticesignature                    -- \nMailScanner\nEmail Virus
Scanner\ -- \nMailScanner (anti-spam, anti-virus
notifysenders                      yes            no
notifysendersofblockedfilenamesorfiletypes yes            no
notifysendersofblockedsizeattachments no             yes
outgoingqueuedir                   /var/spool/mqueue
phishingsubjecttext                {Fraud?}       [PHISHING]
quarantinegroup                                   apache
quarantinepermissions              0600           0660
quarantinesilentviruses            no             yes
quarantineuser                                    postfix
quarantinewholemessage             no             yes
queuescaninterval                  6              3
requiredspamassassinscore          6              3
runasgroup                         0              postfix
runasuser                          0              postfix
scanmessages                       yes            RULESET:Default=yes
scannedsubjecttext                 {Scanned}      [SCANNED]
signatureimageimgfilename                         signature.jpg
signcleanmessages                  yes            no
sizesubjecttext                    {Size}         [SIZE]
sophosidedir                                      /usr/local/Sophos/ide
sophoslibdir                                      /usr/local/Sophos/lib
spamactions                        deliver header "X-Spam-Status: Yes"
store deliver header "X-VANDERKOOIJ-SPAM: YES"
spamassassinsiterulesdir                          /etc/mail/spamassassin
spamassassintimeout                75             60
spamheader                         X-MailScanner-SpamCheck:
spamlist                                          ERS spamhaus-ZEN
spamliststobespam                  1              2
spamscoreheader                    X-MailScanner-SpamScore:
spamscorenumberformat              %d             %5.2f
spamsubjecttext                    {Spam?}        [SPAM:_SCORE_]
treatinvalidwatermarkswithnosenderasspam spam           1
unscannedheadervalue               Not scanned: please contact your
Internet E-Mail Service Provider for details This message was not
scanned! Be cautious!
virusscanners                      auto           clamavmodule mcafee avastd
virusscanning                      yes            RULESET:Default=yes
virussubjecttext                   {Virus?}       [VIRUS]
watermarkheader                    MailScanner-NULL-Check:
watermarksecret                    <Withheld from output by HvdK>


- --
hvdkooij at     

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on and rate those images.

Version: GnuPG v1.4.7 (GNU/Linux)


More information about the MailScanner mailing list