Need help with rule set

Mark Sapiro mark at
Wed Jul 29 17:32:03 IST 2009

Jules Field wrote:
>On 29/07/2009 15:55, Mark Sapiro wrote:
>> MailScanner 4.78.2
>> I have a ruleset for "Notices To" like the following
>> To: /^postmaster(\+.*)?[@.]example\.(net|org)$/ address1
>> To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2
>> FromOrTo: default address3
>> The intent is to send virus notices for mail sent to the postmaster
>> address in the and domains to address1; to
>> send notices for mail sent to other addresses in the example.(com|net)
>> domains to address2, and to send notices for mail to other domains to
>> address3.
>> The first rule works fine. A notice for mail sent to
>> postmaster at is sent to address1.
>> The problem is that a notice for mail to user at is sent to
>> the default address3 instead of address2.
>> Does !/regexp/ work the way I've used it here? Is there something wrong
>> with what I'm doing?
>That's not allowed.

OK. That's good to know.

>> Note that if the second rule is just
>> To: /[@.]example\.(net|org)$/ address2
>> Then notices for postmaster at mail get sent to both address1
>> and address2 which is expected for an "all match" ruleset, but not
>> what I want. I really want to say
>> To: /[@.]example\.(net|org)$/ and NOT To: /^postmaster/ address2
>> and I thought
>> To: /[@.]example\.(net|org)$/ and To: !/^postmaster/ address2
>> would do it, but it doesn't seem to. It appears that I can do this with
>> a negative lookahead regexp as in
>> To: /[@.]example\.(net|org)$/ and To: /^(?!postmaster)/ address2
>> but in a more complex case the ability to say "doesn't match regexp"
>> without using negative lookahead seems useful.
>A simple of phrasing pretty much the same thing would be this:
>To: postmaster at address1
>To: postmaster at address1
>To: * address2
>To: * address2
>FromOrTo: default address3
>That will also work a whole lot faster, as it can be implemented as a 
>single hash lookup rather than having to evaluate all the regexps each time.
>The only problem I can see you might hit is that "NoticeRecipient" is 
>listed in in the "[All,Other]" section, where you might 
>want to move it to the "[First,Other]" section, or else notices to 
>postmaster at and org will probably end up at address1 and 
>address2. If that's particularly important to you, of course, which it 
>may well not be really.

Actually, That is important. It is also good to know how to change a
ruleset from All Match to First Match.

It is important in this case because the main goal of this rule set is
for address2 not to get notices about mail to postmaster.

The underlying issue is that with SaneSecurity ClamAV signatures, lots
of spam gets processed as a virus and thus gets a virus notice rather
than a spam or high spam action, and this postmaster address gets a
lot of spam, the notices for which drown out the others.

>If you really want to catch notices to any address starting with 
>"postmaster", then you could use
>To: postmaster* address1
>syntax instead.

Actually, I'm not interested in all addresses starting with postmaster,
just postmaster and postmaster+*, but any postmaster* that isn't
postmaster or postmaster+* will have been rejected at incoming SMTP
time anway, so postmaster* should be good

>Keep it simple, and easy to understand, and you will find it works a lot 
>faster. The configuration engine is optimised for the sort of rules that 
>mortals understand, it's not optimised for horrendously complex regexps.

Thanks for the advice. It is helpful.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list