MS+Postfix, Selective HOLD
Hugo van der Kooij
hvdkooij at vanderkooij.org
Sat Apr 12 07:56:50 IST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Glenn Steen wrote:
| On 06/04/2008, Hugo van der Kooij <hvdkooij at vanderkooij.org> wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Hi,
|>
|> I have been trying to get my head around this question before. I find
|> that I have a scalability problem that I could resolve if I can put
|> messages on HOLD for MS to pickup only if it is not for a certain
|> recipient.
|>
|> There is one recipient that goes straight into a procmail parser to
|> extract specific information. There is no need to fire up the whole MS
|> circus for each message. This is an automated system that will get 1
|> message per monitored SMTP server per minute.
|>
|> The normal config is:
|> # Do some header checks
|> # This includes setting almost anything on hold for MailScanner to
|> pick up
|> header_checks = regexp:/etc/postfix/regexp/header-checks
|>
|> So I have tried a number of setups. Most of them failed miserably.
|>
|> This morning I woke up whith what seems to be the answer so I gave it a
|> spin and here are my findings.
|>
|>
|> What does work is at the end of my smtpd checks add a table to list
|> explicit addresses to scan. In the main.cf it looks like:
|>
|> # Access rules
|> smtpd_client_restrictions =
|> ~ permit_mynetworks,
|> ~ permit_sasl_authenticated,
|> ....Long list removed.......
|> ~ reject_unauth_destination,
|> ~ check_recipient_access
|> hash:/etc/postfix/hash/valid-recipients
|>
|> And the hash tables explicit lists everyone for whome MS should be
|> called upon. Like:
|>
|> hugo at vanderkooij.org HOLD
|> hvdkooij at vanderkooij.org HOLD
|>
|> (I know putting email in the clear scares some people. But if you ever
|> see a Megalist without these two then do not buy it. ;-)
|>
|> But the drawback is it only works for a simple setup at home with only a
|> moderate list of recipients. And where you actually know all the
|> recipients.
|>
| Actually... If you (as ) already use the relay_recipient_map thing,
| it'd be trivial to rewrite the script that generates the
| relay_recipient_map to also do an access_map...:).
| But then again...
|> But if you want to have just a few exceptions then you better use
|> regular expressions.
|>
|> So replace:
|> check_recipient_access
|> hash:/etc/postfix/hash/valid-recipients
|>
|> with:
|> check_recipient_access
|> regexp:/etc/postfix/regexp/MailScanner
|>
|> With /etc/postfix/regexp/MailScanner looking like:
|>
|> #
|> # header_checks - Postfix built-in header/body inspection
|> #
|> /exclusion at test\.example\.net/ OK
|>
|> # Everyone else will go through MailScanner!
|> /.*/ HOLD
|>
|> # EOF
|>
|>
|> This does the trick for me. It might work for others.
| This would be a better replacement for the header check thing, in
| cases where you'd like to be selective. Thanks for thinking it up, and
| sharing.
Sharing is what make OS so much stronger.
But I have found an issue I am not able to pinpoint yet. Every email to
my postmaster seems to bypass MailScanner as well. I have grepped my
config files untill my fingers grew tired. But I have no postmaster
exception in postfix anywhere. Nor do I have one in MailScanner.
Is there an buildin option of postfix I am missing here?
~ --- postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/regexp/header-checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail -Y
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, $testdomains, spamvrij.net,
vanderkooij.org, localhost.$mydomain, localhost.localdomain,
localhost
mydomain = vanderkooij.org
myhostname = balin.waakhond.net
mynetworks = 84.244.132.155/32, [2001:960:2:595::2]/128, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = no
smtpd_banner = $myhostname ESMTP The sending of unsollicited bulk or
commercial email will be regarded as criminal activities. All traffic is
logged and violations will be handled under criminal and/or civil law.
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_sender_access
hash:/etc/postfix/hash/whitelist, check_client_access
cidr:/etc/postfix/cidr/blacklist-networks, check_client_access
cidr:/etc/postfix/cidr/spamhaus-droplist, check_recipient_access
hash:/etc/postfix/hash/recipients, check_client_access
hash:/etc/postfix/hash/blacklist, check_sender_access
hash:/etc/postfix/hash/blacklist, check_client_access
hash:/etc/postfix/hash/dynamic-blacklist, check_client_access
regexp:/etc/postfix/regexp/dynamic-networks, check_sender_access
hash:/etc/postfix/hash/spamlist, reject_non_fqdn_hostname,
reject_non_fqdn_recipient, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_invalid_hostname,
reject_unverified_recipient, reject_rbl_client
STX2E4ZKZBQAVGD47HCFAB8ETQWC8HB.r.mail-abuse.com, reject_rbl_client
all.rbl.jp, reject_rbl_client bl.spamcop.net, reject_rbl_client
dnsbl.sorbs.net, reject_rbl_client korea.services.net,
reject_rbl_client list.dsbl.org, reject_rbl_client
zen.spamhaus.org, reject_rbl_client blackholes.securitysage.com,
reject_unauth_destination, check_recipient_access
regexp:/etc/postfix/regexp/MailScanner
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unknown_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_restriction_classes = work_MS, reject_RFC, reject_auto,
reject_auto_virus, reject_domain, reject_dynamic, reject_infected,
~ reject_spam, reject_user, whitelist_select
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/balin.waakhond.net.crt
smtpd_tls_key_file = /etc/ssl/balin.waakhond.net.key
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/hash/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = rust-hoff.nl
virtual_alias_maps = hash:/etc/postfix/hash/virtual-domains
~ --- MailScanner -c
Option Name Default Current Value
===============================================================================
addenvelopetoheader no yes
alwaysincludespamassassinreport no yes
alwayslookeduplast no FUNCTION:MailWatchLogging
attachmentextensionsnottozip .zip .rar .gz .tgz .mpg .mpe .mpeg
.mp3 .rpm .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm
.html .eml
attachmentwarningfilename VirusWarning.txt
VANDERKOOIJ-Attachment-Warning.txt
clamavfullmessagescan no yes
clamdsocket 127.0.0.1 /tmp/clamd
cleanheadervalue Found to be clean No virus detected
contentsubjecttext {Dangerous Content?} [MODIFIED]
disarmedsubjecttext {Disarmed} [DISARMED]
disinfectedheadervalue Disinfected Virus removed
enablespambounce no RULESET:Default=no
envelopefromheader X-MailScanner-Envelope-From:
X-VANDERKOOIJ-MailScanner-From:
envelopetoheader X-MailScanner-Envelope-To:
X-VANDERKOOIJ-MailScanner-To:
filenamerules
RULESET:Default=/etc/MailScanner/filename.rules.conf
filenamesubjecttext {Filename?} [STRIPPED]
filetyperules
/etc/MailScanner/filetype.rules.conf
highscoringspamactions deliver header "X-Spam-Status: Yes" store
highscoringspamsubjecttext {Spam?} [SPAM:_SCORE_]
highspamassassinscore 10 6
hostname the MailScanner the VANDERKOOIJ
(balin.waakhond.net) MailScanner
ignoredwebbugfilenames spacer pixel.gif
pixel.png gap
incomingqueuedir /var/spool/mqueue.in
/var/spool/postfix/hold
infectedheadervalue Found to be infected Virus detected
informationheader
X-VANDERKOOIJ-MailScanner-Information:
informationheadervalue Please contact the ISP for more
information If you see this line then you have found the headers. Use
them wisely!
isdefinitelynotspam no FUNCTION:SQLWhitelist
isdefinitelyspam no FUNCTION:SQLBlacklist
keepspamandmcparchiveclean no yes
knownwebbugservers msgtag.com
languagestrings
/etc/MailScanner/reports/en/languages.conf
logdangeroushtmltags no yes
lognonspam no yes
logsilentviruses no yes
logspam no yes
mailheader X-MailScanner: X-VANDERKOOIJ-MailScanner:
mailscannerversionnumber 1.0.0 4.66.5
maxchildren 5 1
maximummessagesize 0 RULESET:Default=0
maxspamassassinsize 30000 40k
maxspamchecksize 150000 250000
mcpheader X-MailScanner-MCPCheck:
X-VANDERKOOIJ-MailScanner-MCPCheck:
mcpmaxspamassassinsize 100000 100k
monitorsforclamavupdates /usr/local/share/clamav/*.cvd
/var/clamav/*.inc/* /var/clamav/*.cvd
monitorsforsophosupdates /usr/local/Sophos/ide/*.zip
/usr/local/Sophos/ide/*ides.zip
mta sendmail postfix
nonspamactions deliver header "X-Spam-Status: No"
store deliver header "X-VANDERKOOIJ-SPAM: NO"
noticesignature -- \nMailScanner\nEmail Virus
Scanner\nwww.mailscanner.info -- \nMailScanner (anti-spam, anti-virus
toolkit)
notifysenders yes no
notifysendersofblockedfilenamesorfiletypes yes no
notifysendersofblockedsizeattachments no yes
outgoingqueuedir /var/spool/mqueue
/var/spool/postfix/incoming
phishingsubjecttext {Fraud?} [PHISHING]
quarantinegroup apache
quarantinepermissions 0600 0660
quarantinesilentviruses no yes
quarantineuser postfix
quarantinewholemessage no yes
queuescaninterval 6 3
rejectionreport
/etc/MailScanner/reports/en/message.rejection.report.txt
/etc/MailScanner/reports/en/rejection.report.txt
requiredspamassassinscore 6 3
runasgroup 0 postfix
runasuser 0 postfix
scanmessages yes RULESET:Default=yes
scannedsubjecttext {Scanned} [SCANNED]
signatureimagefilename
/etc/MailScanner/reports/en/sig.jpg
signatureimageimgfilename signature.jpg
signcleanmessages yes no
sizesubjecttext {Size} [SIZE]
sophosidedir /usr/local/Sophos/ide
sophoslibdir /usr/local/Sophos/lib
spamactions deliver header "X-Spam-Status: Yes"
store deliver header "X-VANDERKOOIJ-SPAM: YES"
spamassassinsiterulesdir /etc/mail/spamassassin
spamassassintimeout 75 60
spamassassinuserstatedir
/var/spool/MailScanner/spamassassin
spamheader X-MailScanner-SpamCheck:
X-VANDERKOOIJ-MailScanner-SpamCheck:
spamlist ERS spamhaus-ZEN
RBL-JP RBL-KR
spamliststobespam 1 2
spamscoreheader X-MailScanner-SpamScore:
X-VANDERKOOIJ-MailScanner-SpamScore:
spamscorenumberformat %d %5.2f
spamsubjecttext {Spam?} [SPAM:_SCORE_]
treatinvalidwatermarkswithnosenderasspam spam 1
unscannedheadervalue Not scanned: please contact your
Internet E-Mail Service Provider for details This message was not
scanned! Be cautious!
virusscanners auto clamavmodule mcafee avastd
virusscanning yes RULESET:Default=yes
virussubjecttext {Virus?} [VIRUS]
watermarkheader MailScanner-NULL-Check:
X-VANDERKOOIJ-MailScanner-Watermark:
watermarksecret <Withheld from output by HvdK>
webbugreplacement
http://www.mailscanner.info/images/1x1spacer.gif
http://hugo.vanderkooij.org/images/1x1spacer.gif
Hugo.
- --
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?
Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFIAF0uBvzDRVjxmYERAq8KAKCa8Lwz97yvCozDpfaf05PLrRdbRwCgjC9T
H+aqhYLDfLvbQITkuTy2lmI=
=qFRZ
-----END PGP SIGNATURE-----
More information about the MailScanner
mailing list