MS+Postfix, Selective HOLD

Hugo van der Kooij hvdkooij at vanderkooij.org
Sat Apr 12 07:56:50 IST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Glenn Steen wrote:
| On 06/04/2008, Hugo van der Kooij <hvdkooij at vanderkooij.org> wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|>  Hash: SHA1
|>
|>  Hi,
|>
|>  I have been trying to get my head around this question before. I find
|>  that I have a scalability problem that I could resolve if I can put
|>  messages on HOLD for MS to pickup only if it is not for a certain
|> recipient.
|>
|>  There is one recipient that goes straight into a procmail parser to
|>  extract specific information. There is no need to fire up the whole MS
|>  circus for each message. This is an automated system that will get 1
|>  message per monitored SMTP server per minute.
|>
|>  The normal config is:
|>  #       Do some header checks
|>  #       This includes setting almost anything on hold for MailScanner to
|>  pick up
|>  header_checks = regexp:/etc/postfix/regexp/header-checks
|>
|>  So I have tried a number of setups. Most of them failed miserably.
|>
|>  This morning I woke up whith what seems to be the answer so I gave it a
|>  spin and here are my findings.
|>
|>
|>  What does work is at the end of my smtpd checks add a table to list
|>  explicit addresses to scan. In the main.cf it looks like:
|>
|>  #       Access rules
|>  smtpd_client_restrictions =
|>  ~        permit_mynetworks,
|>  ~        permit_sasl_authenticated,
|>  ....Long list removed.......
|>  ~        reject_unauth_destination,
|>  ~        check_recipient_access
|> hash:/etc/postfix/hash/valid-recipients
|>
|>  And the hash tables explicit lists everyone for whome MS should be
|>  called upon. Like:
|>
|>  hugo at vanderkooij.org            HOLD
|>  hvdkooij at vanderkooij.org        HOLD
|>
|>  (I know putting email in the clear scares some people. But if you ever
|>  see a Megalist without these two then do not buy it. ;-)
|>
|>  But the drawback is it only works for a simple setup at home with only a
|>  moderate list of recipients. And where you actually know all the
|> recipients.
|>
| Actually... If you (as ) already use the relay_recipient_map thing,
| it'd be trivial to rewrite the script that generates the
| relay_recipient_map to also do an access_map...:).
|  But then again...
|>  But if you want to have just a few exceptions then you better use
|>  regular expressions.
|>
|>  So replace:
|>  check_recipient_access
|> hash:/etc/postfix/hash/valid-recipients
|>
|>  with:
|>  check_recipient_access
|> regexp:/etc/postfix/regexp/MailScanner
|>
|>  With /etc/postfix/regexp/MailScanner looking like:
|>
|>  #
|>  #        header_checks - Postfix built-in header/body inspection
|>  #
|>  /exclusion at test\.example\.net/          OK
|>
|>  #       Everyone else will go through MailScanner!
|>  /.*/                                    HOLD
|>
|>  #       EOF
|>
|>
|>  This does the trick for me. It might work for others.
| This would be a better replacement for the header check thing, in
| cases where you'd like to be selective. Thanks for thinking it up, and
| sharing.

Sharing is what make OS so much stronger.

But I have found an issue I am not able to pinpoint yet. Every email to
my postmaster seems to bypass MailScanner as well. I have grepped my
config files untill my fingers grew tired. But I have no postmaster
exception in postfix anywhere. Nor do I have one in MailScanner.

Is there an buildin option of postfix I am missing here?

~ --- postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/regexp/header-checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail -Y
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname,    $testdomains,   spamvrij.net,
vanderkooij.org,        localhost.$mydomain,    localhost.localdomain,
localhost
mydomain = vanderkooij.org
myhostname = balin.waakhond.net
mynetworks = 84.244.132.155/32, [2001:960:2:595::2]/128,        127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = no
smtpd_banner = $myhostname ESMTP The sending of unsollicited bulk or
commercial email will be regarded as criminal activities. All traffic is
logged and violations will be handled under criminal and/or civil law.
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,      check_sender_access
hash:/etc/postfix/hash/whitelist,   check_client_access
cidr:/etc/postfix/cidr/blacklist-networks,  check_client_access
cidr:/etc/postfix/cidr/spamhaus-droplist,        check_recipient_access
hash:/etc/postfix/hash/recipients,       check_client_access
hash:/etc/postfix/hash/blacklist,   check_sender_access
hash:/etc/postfix/hash/blacklist,   check_client_access
hash:/etc/postfix/hash/dynamic-blacklist,        check_client_access
regexp:/etc/postfix/regexp/dynamic-networks,        check_sender_access
hash:/etc/postfix/hash/spamlist,    reject_non_fqdn_hostname,
reject_non_fqdn_recipient,      reject_non_fqdn_sender,
reject_unknown_sender_domain,   reject_invalid_hostname,
reject_unverified_recipient,    reject_rbl_client
STX2E4ZKZBQAVGD47HCFAB8ETQWC8HB.r.mail-abuse.com,     reject_rbl_client
all.rbl.jp,   reject_rbl_client bl.spamcop.net,    reject_rbl_client
dnsbl.sorbs.net,      reject_rbl_client korea.services.net,
reject_rbl_client list.dsbl.org,        reject_rbl_client
zen.spamhaus.org,     reject_rbl_client blackholes.securitysage.com,
reject_unauth_destination,   check_recipient_access
regexp:/etc/postfix/regexp/MailScanner
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname,       reject_unknown_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,      reject_unauth_destination
smtpd_restriction_classes = work_MS,    reject_RFC,     reject_auto,
reject_auto_virus,      reject_domain,  reject_dynamic, reject_infected,
~       reject_spam,    reject_user,    whitelist_select
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/balin.waakhond.net.crt
smtpd_tls_key_file = /etc/ssl/balin.waakhond.net.key
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/hash/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = rust-hoff.nl
virtual_alias_maps = hash:/etc/postfix/hash/virtual-domains

~ --- MailScanner -c
Option Name                        Default        Current Value
===============================================================================
addenvelopetoheader                no             yes
alwaysincludespamassassinreport    no             yes
alwayslookeduplast                 no             FUNCTION:MailWatchLogging
attachmentextensionsnottozip       .zip .rar .gz .tgz .mpg .mpe .mpeg
.mp3 .rpm .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm
.html .eml
attachmentwarningfilename          VirusWarning.txt
VANDERKOOIJ-Attachment-Warning.txt
clamavfullmessagescan              no             yes
clamdsocket                        127.0.0.1      /tmp/clamd
cleanheadervalue                   Found to be clean No virus detected
contentsubjecttext                 {Dangerous Content?} [MODIFIED]
disarmedsubjecttext                {Disarmed}     [DISARMED]
disinfectedheadervalue             Disinfected    Virus removed
enablespambounce                   no             RULESET:Default=no
envelopefromheader                 X-MailScanner-Envelope-From:
X-VANDERKOOIJ-MailScanner-From:
envelopetoheader                   X-MailScanner-Envelope-To:
X-VANDERKOOIJ-MailScanner-To:
filenamerules
RULESET:Default=/etc/MailScanner/filename.rules.conf
filenamesubjecttext                {Filename?}    [STRIPPED]
filetyperules
/etc/MailScanner/filetype.rules.conf
highscoringspamactions             deliver header "X-Spam-Status: Yes" store
highscoringspamsubjecttext         {Spam?}        [SPAM:_SCORE_]
highspamassassinscore              10             6
hostname                           the MailScanner the VANDERKOOIJ
(balin.waakhond.net) MailScanner
ignoredwebbugfilenames                            spacer pixel.gif
pixel.png gap
incomingqueuedir                   /var/spool/mqueue.in
/var/spool/postfix/hold
infectedheadervalue                Found to be infected Virus detected
informationheader
X-VANDERKOOIJ-MailScanner-Information:
informationheadervalue             Please contact the ISP for more
information If you see this line then you have found the headers. Use
them wisely!
isdefinitelynotspam                no             FUNCTION:SQLWhitelist
isdefinitelyspam                   no             FUNCTION:SQLBlacklist
keepspamandmcparchiveclean         no             yes
knownwebbugservers                                msgtag.com
languagestrings
/etc/MailScanner/reports/en/languages.conf
logdangeroushtmltags               no             yes
lognonspam                         no             yes
logsilentviruses                   no             yes
logspam                            no             yes
mailheader                         X-MailScanner: X-VANDERKOOIJ-MailScanner:
mailscannerversionnumber           1.0.0          4.66.5
maxchildren                        5              1
maximummessagesize                 0              RULESET:Default=0
maxspamassassinsize                30000          40k
maxspamchecksize                   150000         250000
mcpheader                          X-MailScanner-MCPCheck:
X-VANDERKOOIJ-MailScanner-MCPCheck:
mcpmaxspamassassinsize             100000         100k
monitorsforclamavupdates           /usr/local/share/clamav/*.cvd
/var/clamav/*.inc/* /var/clamav/*.cvd
monitorsforsophosupdates           /usr/local/Sophos/ide/*.zip
/usr/local/Sophos/ide/*ides.zip
mta                                sendmail       postfix
nonspamactions                     deliver header "X-Spam-Status: No"
store deliver header "X-VANDERKOOIJ-SPAM: NO"
noticesignature                    -- \nMailScanner\nEmail Virus
Scanner\nwww.mailscanner.info -- \nMailScanner (anti-spam, anti-virus
toolkit)
notifysenders                      yes            no
notifysendersofblockedfilenamesorfiletypes yes            no
notifysendersofblockedsizeattachments no             yes
outgoingqueuedir                   /var/spool/mqueue
/var/spool/postfix/incoming
phishingsubjecttext                {Fraud?}       [PHISHING]
quarantinegroup                                   apache
quarantinepermissions              0600           0660
quarantinesilentviruses            no             yes
quarantineuser                                    postfix
quarantinewholemessage             no             yes
queuescaninterval                  6              3
rejectionreport
/etc/MailScanner/reports/en/message.rejection.report.txt
/etc/MailScanner/reports/en/rejection.report.txt
requiredspamassassinscore          6              3
runasgroup                         0              postfix
runasuser                          0              postfix
scanmessages                       yes            RULESET:Default=yes
scannedsubjecttext                 {Scanned}      [SCANNED]
signatureimagefilename
/etc/MailScanner/reports/en/sig.jpg
signatureimageimgfilename                         signature.jpg
signcleanmessages                  yes            no
sizesubjecttext                    {Size}         [SIZE]
sophosidedir                                      /usr/local/Sophos/ide
sophoslibdir                                      /usr/local/Sophos/lib
spamactions                        deliver header "X-Spam-Status: Yes"
store deliver header "X-VANDERKOOIJ-SPAM: YES"
spamassassinsiterulesdir                          /etc/mail/spamassassin
spamassassintimeout                75             60
spamassassinuserstatedir
/var/spool/MailScanner/spamassassin
spamheader                         X-MailScanner-SpamCheck:
X-VANDERKOOIJ-MailScanner-SpamCheck:
spamlist                                          ERS spamhaus-ZEN
RBL-JP RBL-KR
spamliststobespam                  1              2
spamscoreheader                    X-MailScanner-SpamScore:
X-VANDERKOOIJ-MailScanner-SpamScore:
spamscorenumberformat              %d             %5.2f
spamsubjecttext                    {Spam?}        [SPAM:_SCORE_]
treatinvalidwatermarkswithnosenderasspam spam           1
unscannedheadervalue               Not scanned: please contact your
Internet E-Mail Service Provider for details This message was not
scanned! Be cautious!
virusscanners                      auto           clamavmodule mcafee avastd
virusscanning                      yes            RULESET:Default=yes
virussubjecttext                   {Virus?}       [VIRUS]
watermarkheader                    MailScanner-NULL-Check:
X-VANDERKOOIJ-MailScanner-Watermark:
watermarksecret                    <Withheld from output by HvdK>
webbugreplacement
http://www.mailscanner.info/images/1x1spacer.gif
http://hugo.vanderkooij.org/images/1x1spacer.gif

Hugo.

- --
hvdkooij at vanderkooij.org               http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFIAF0uBvzDRVjxmYERAq8KAKCa8Lwz97yvCozDpfaf05PLrRdbRwCgjC9T
H+aqhYLDfLvbQITkuTy2lmI=
=qFRZ
-----END PGP SIGNATURE-----


More information about the MailScanner mailing list