header checks not working

classic Classic list List threaded Threaded
67 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

header checks not working

bronto
I'm trying to set up a basic header check to get rid of emails sa marks
as spam.  I've added the following link to main.cf:

header_checks = regexp:/etc/postfix/filter

/etc/postfix/filter has:


# No ***SPAM***
/^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
# SPam flag
/^X-Spam-Flag .YES/ DISCARD Spam Flag

The intent is to discard emails where either the subject contains
***SPAM*** or the X-Spam-Flag is YES

But the filters aren't working.  I am by no means a regex expert.  What
am I missing?

Rob

Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Jason Bailey, Sun Advocate Webmaster
Rob Brandt wrote:

> I'm trying to set up a basic header check to get rid of emails sa marks
> as spam.  I've added the following link to main.cf:
>
> header_checks = regexp:/etc/postfix/filter
>
> /etc/postfix/filter has:
>
>
> # No ***SPAM***
> /^Subject .*\*\*\*SPAM\*\*\*/    DISCARD ***SPAM***
> # SPam flag
> /^X-Spam-Flag .YES/    DISCARD Spam Flag
>
> The intent is to discard emails where either the subject contains
> ***SPAM*** or the X-Spam-Flag is YES
>
> But the filters aren't working.  I am by no means a regex expert.  What
> am I missing?
>
> Rob
>

I'm no Postfix master (not by a long shot), nor do I have a machine I
can test this on, but try this:

/^X\-Spam\-Status\:.*YES/i DISCARD

Since you say your header is different, maybe this:
/^X\-Spam\-Flag\:.*YES/i DISCARD

I suppose it depends on the name of the header. I have SpamAssassin
marking my email and the header is X-Spam-Status, not X-Spam-Flag.

The "/i" at the end implies case insensitivity when matching. I'm not
sure if Postfix honors such pattern modifiers, but generally speaking,
when dealing with Perl-compatible regex, that's what the "i" does. If
Postfix doesn't like it, just take the "i" out.

Jason
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Sahil Tandon
In reply to this post by bronto
On Tue, 30 Jun 2009, Rob Brandt wrote:

> I'm trying to set up a basic header check to get rid of emails sa marks  
> as spam.  I've added the following link to main.cf:
>
> header_checks = regexp:/etc/postfix/filter

I prefer pcre:, but the following patterns should work with regexp: as well.

> # No ***SPAM***
> /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***

/^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***

> # SPam flag
> /^X-Spam-Flag .YES/ DISCARD Spam Flag

/^X-Spam-Flag: YES$/ DISCARD Spam Flag

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Jason Bailey, Sun Advocate Webmaster
Sahil Tandon wrote:

> On Tue, 30 Jun 2009, Rob Brandt wrote:
>
>  
>> I'm trying to set up a basic header check to get rid of emails sa marks  
>> as spam.  I've added the following link to main.cf:
>>
>> header_checks = regexp:/etc/postfix/filter
>>    
>
> I prefer pcre:, but the following patterns should work with regexp: as well.
>
>  

I was thinking pcre instead of regexp when I replied. Yes, I also
suggest pcre.

>> # No ***SPAM***
>> /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
>>    
>
> /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
>
>  
>> # SPam flag
>> /^X-Spam-Flag .YES/ DISCARD Spam Flag
>>    
>
> /^X-Spam-Flag: YES$/ DISCARD Spam Flag
>
>  
Maybe it's not necessary, but I've always seem to have better luck with
Perl compatible regular expressions (as a general rule, not necessarily
just with Postfix pcre) when I escape the hyphens (i.e. "\-"). I suppose
if Postfix works without them, great. The simpler you can keep things,
the better.

Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

bronto
In reply to this post by Sahil Tandon
Still doesn't seem to be working.  Still using regexp, it seems I don't
have pcre installed as postfix throws errors when I try it.  I'm
focusing on the X-Spam-Flag one since they both should eliminate the
same emails anyway.  I've tried it both with the colon and without.  Is
here a log somewhere where I can see what's going on?

Rob


Sahil Tandon wrote:

> On Tue, 30 Jun 2009, Rob Brandt wrote:
>
>> I'm trying to set up a basic header check to get rid of emails sa marks  
>> as spam.  I've added the following link to main.cf:
>>
>> header_checks = regexp:/etc/postfix/filter
>
> I prefer pcre:, but the following patterns should work with regexp: as well.
>
>> # No ***SPAM***
>> /^Subject .*\*\*\*SPAM\*\*\*/ DISCARD ***SPAM***
>
> /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
>
>> # SPam flag
>> /^X-Spam-Flag .YES/ DISCARD Spam Flag
>
> /^X-Spam-Flag: YES$/ DISCARD Spam Flag
>

Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Magnus Bäck
On Wednesday, July 01, 2009 at 07:02 CEST,
     Rob Brandt <[hidden email]> wrote:


> Sahil Tandon wrote:
>
> > I prefer pcre:, but the following patterns should work with regexp:
> > as well.

No, {n} isn't supported by regexp.

> > /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
> >
> > /^X-Spam-Flag: YES$/ DISCARD Spam Flag
>
> Still doesn't seem to be working.  Still using regexp, it seems I
> don't have pcre installed as postfix throws errors when I try it.

"postconf -m" indicates which map types are supported.

> I'm focusing on the X-Spam-Flag one since they both should eliminate
> the same emails anyway.  I've tried it both with the colon and
> without.  Is here a log somewhere where I can see what's going on?

You can use "postmap -q" to test input strings. The following patterns
are regexp-compatible:

/^Subject:.*\*\*\*SPAM\*\*\*/     DISCARD ***SPAM***
/^X-Spam-Flag: YES$/              DISCARD Spam Flag

Test them with "postmap -q" first. If it doesn't work you need to
provide an example email with these headers.

Please do not top-post.

--
Magnus Bäck
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Magnus Bäck
In reply to this post by Jason Bailey, Sun Advocate Webmaster
On Wednesday, July 01, 2009 at 03:25 CEST,
     "Jason Bailey, Sun Advocate Webmaster" <[hidden email]> wrote:

[...]

> The "/i" at the end implies case insensitivity when matching. I'm not
> sure if Postfix honors such pattern modifiers, but generally speaking,
> when dealing with Perl-compatible regex, that's what the "i" does. If
> Postfix doesn't like it, just take the "i" out.

As documented in regexp_table(5) and pcre_table(5), /i is supported but
is used to DISABLE case-insensitivity.

--
Magnus Bäck
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

bronto
In reply to this post by Magnus Bäck
Magnus Bäck wrote:

> On Wednesday, July 01, 2009 at 07:02 CEST,
>      Rob Brandt <[hidden email]> wrote:
>
>
>> Sahil Tandon wrote:
>>
>>> I prefer pcre:, but the following patterns should work with regexp:
>>> as well.
>
> No, {n} isn't supported by regexp.
>
>>> /^Subject:.*\*{3}SPAM\*{3}/ DISCARD ***SPAM***
>>>
>>> /^X-Spam-Flag: YES$/ DISCARD Spam Flag
>> Still doesn't seem to be working.  Still using regexp, it seems I
>> don't have pcre installed as postfix throws errors when I try it.
>
> "postconf -m" indicates which map types are supported.
>
>> I'm focusing on the X-Spam-Flag one since they both should eliminate
>> the same emails anyway.  I've tried it both with the colon and
>> without.  Is here a log somewhere where I can see what's going on?
>
> You can use "postmap -q" to test input strings. The following patterns
> are regexp-compatible:
>
> /^Subject:.*\*\*\*SPAM\*\*\*/     DISCARD ***SPAM***
> /^X-Spam-Flag: YES$/              DISCARD Spam Flag
>
> Test them with "postmap -q" first. If it doesn't work you need to
> provide an example email with these headers.
>
> Please do not top-post.
>

Thanks.  postconf -m confirms that I have regexp but not pcre.

Could I get an example of how to use postmap -q?  I have tried:

postmap -q "X-Spam-Flag: YES" /etc/postfix/header_checks

where "X-Spam-Flag: YES" is the header I am trying to check and
/etc/postfix/header_checks is the current name of my header_checks file.
  I get no return values, I've read the man and I think I'm supposed to
get a 0 when it matches.

Rob
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Magnus Bäck
On Wed, July 1, 2009 8:13 am, Rob Brandt said:

> Could I get an example of how to use postmap -q?  I have tried:
>
> postmap -q "X-Spam-Flag: YES" /etc/postfix/header_checks
>
> where "X-Spam-Flag: YES" is the header I am trying to check and
> /etc/postfix/header_checks is the current name of my header_checks file.

Yes, but you need to tell Postfix that it's a regexp map:

postmap -q "X-Spam-Flag: YES" regexp:/etc/postfix/header_checks

>   I get no return values, I've read the man and I think I'm supposed to
> get a 0 when it matches.

Correct. If you get a match postmap(1) will print the matching line.

--
Magnus Bäck
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Sahil Tandon
In reply to this post by Magnus Bäck
On Wed, 01 Jul 2009, Magnus Bäck wrote:

> On Wednesday, July 01, 2009 at 07:02 CEST,
>      Rob Brandt <[hidden email]> wrote:
>
>
> > Sahil Tandon wrote:
> >
> > > I prefer pcre:, but the following patterns should work with regexp:
> > > as well.
>
> No, {n} isn't supported by regexp.

I too was surprised that {n} seems to work with regexp when tested on the
command line with postmap(1):

  # cat header_test
  /^X-Spam-Flag: YES$/ DISCARD
  /^Subject:.*\*{3}SPAM\*{3}/ DISCARD

  # postmap -q "Subject: foo ***SPAM*** bar" regexp:header_test
  DISCARD

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Noel Jones-2
In reply to this post by Jason Bailey, Sun Advocate Webmaster
Jason Bailey, Sun Advocate Webmaster wrote:

> Rob Brandt wrote:
>> I'm trying to set up a basic header check to get rid of emails sa
>> marks as spam.  I've added the following link to main.cf:
>>
>> header_checks = regexp:/etc/postfix/filter
>>
>> /etc/postfix/filter has:
>>
>>
>> # No ***SPAM***
>> /^Subject .*\*\*\*SPAM\*\*\*/    DISCARD ***SPAM***
>> # SPam flag
>> /^X-Spam-Flag .YES/    DISCARD Spam Flag
>>
>> The intent is to discard emails where either the subject contains
>> ***SPAM*** or the X-Spam-Flag is YES
>>
>> But the filters aren't working.  I am by no means a regex expert.  
>> What am I missing?
>>
>> Rob
>>
>
> I'm no Postfix master (not by a long shot), nor do I have a machine I
> can test this on, but try this:
>
> /^X\-Spam\-Status\:.*YES/i    DISCARD
>
> Since you say your header is different, maybe this:
> /^X\-Spam\-Flag\:.*YES/i    DISCARD
>
> I suppose it depends on the name of the header. I have SpamAssassin
> marking my email and the header is X-Spam-Status, not X-Spam-Flag.
>
> The "/i" at the end implies case insensitivity when matching. I'm not
> sure if Postfix honors such pattern modifiers, but generally speaking,
> when dealing with Perl-compatible regex, that's what the "i" does. If
> Postfix doesn't like it, just take the "i" out.
>
> Jason


No need to escape "-" or ":", and postfix turns on the /i flag
by default - adding the flag to a postfix expression turns on
case sensitivity.
http://www.postfix.org/pcre_table.5.html

Rob's trouble is he forgot the ":" at the end of the header name.

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

bronto
In reply to this post by Magnus Bäck


Magnus Bäck wrote, On 6/30/2009 11:39 PM:

> On Wed, July 1, 2009 8:13 am, Rob Brandt said:
>
>> Could I get an example of how to use postmap -q?  I have tried:
>>
>> postmap -q "X-Spam-Flag: YES" /etc/postfix/header_checks
>>
>> where "X-Spam-Flag: YES" is the header I am trying to check and
>> /etc/postfix/header_checks is the current name of my header_checks file.
>
> Yes, but you need to tell Postfix that it's a regexp map:
>
> postmap -q "X-Spam-Flag: YES" regexp:/etc/postfix/header_checks
>
>>   I get no return values, I've read the man and I think I'm supposed to
>> get a 0 when it matches.
>
> Correct. If you get a match postmap(1) will print the matching line.
>


Excellent, I now get a match using postmap.  If the spam doesn't cease,
I'll be back.  Thanks everyone!

Rob

Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

bronto


Rob Brandt wrote, On 7/1/2009 9:09 AM:

>
> Excellent, I now get a match using postmap.  If the spam doesn't cease,
> I'll be back.  Thanks everyone!
>
> Rob
>

Nuts.  I am still getting spam.  Is there any reason header_checks might
not be enabled?  Is header_checks being run before SA processes it?

Here's my header_checks file:
*********************************************
# X-Spam-Flag
/^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag

Here's my current main.cf:
*********************************************
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.dom.ain
alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = amd64.dom.ain, localhost.dom.ain,localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps =
hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
home_mailbox = Maildir/
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_list = amd64.dom.ain

unknown_local_recipient_reject_code = 550
transport_maps = hash:/etc/postfix/transport
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
inet_interfaces = all
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
header_checks = regexp:/etc/postfix/header_checks

Here's the headers from a very spammy email I just received:
*************************************************************
Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from localhost (localhost [127.0.0.1])
        by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
        for <[hidden email]>; Wed,  1 Jul 2009 10:10:54 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
X-Spam-Flag: YES
X-Spam-Score: 27.191
X-Spam-Level: ***************************
X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
        tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
        FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
        HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
        PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
        RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
        RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
X-Spam-Report:
  *  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
  *      [score: 1.0000]
  *  4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
  *  3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
  *      IP)
  *  3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
  *  0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
  *      [88.5.123.52 listed in zen.spamhaus.org]
  *  3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
  *  0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
  *      [88.5.123.52 listed in dnsbl.sorbs.net]
  *  0.0 HTML_MESSAGE BODY: HTML included in message
  *  0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
  *  1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
  *  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
  *      above 50%
  *      [cf: 100]
  *  0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
  *  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
  *      [cf: 100]
  *  3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
  *  0.0 DIGEST_MULTIPLE Message hits more than one network digest check
  *  0.1 RDNS_DYNAMIC Delivered to trusted network by host with
  *      dynamic-looking rDNS
Received: from mail.dom.ain ([127.0.0.1])
        by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id z1oE2BXbOpmz for <[hidden email]>;
        Wed,  1 Jul 2009 10:10:49 -0700 (PDT)
Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
(52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
        by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
        for <[hidden email]>; Wed,  1 Jul 2009 10:10:43 -0700 (PDT)
Received: from localhost (nr.ru [127.0.0.1])
        by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
        Wed, 1 Jul 2009 18:10:21 +0100
        (envelope-from [hidden email])
To: Bronto <[hidden email]>
Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
X-PHP-Script: nr.ru/index.php
From: =?koi8-r?B?7cHSyyD7wdLP1w==?= <[hidden email]>
Auto-Submitted: auto-generated
Message-ID: <[hidden email]>
MIME-Version: 1.0
Content-Type: text/html; charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: IPB PHP

Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Brian Evans - Postfix List
Rob Brandt wrote:

>
>
> Rob Brandt wrote, On 7/1/2009 9:09 AM:
>
>>
>> Excellent, I now get a match using postmap.  If the spam doesn't
>> cease, I'll be back.  Thanks everyone!
>>
>> Rob
>>
>
> Nuts.  I am still getting spam.  Is there any reason header_checks
> might not be enabled?  Is header_checks being run before SA processes it?
>
> Here's my header_checks file:
> *********************************************
> # X-Spam-Flag
> /^X-Spam-Flag: YES$/    DISCARD X-Spam-Flag
>
> Here's my current main.cf:
> *********************************************
> content_filter = smtp-amavis:[127.0.0.1]:10024

'postconf -n' is preferred here over pasting main.cf.  You're eyes may
play tricks on you.

Do you have anything like:
"receive_override_options=no_header_body_checks" in master.cf for the
content_filter reinjection?
This will not match if so.


Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Terry Carmen
In reply to this post by bronto
> Rob Brandt wrote, On 7/1/2009 9:09 AM:
>
>>
>> Excellent, I now get a match using postmap.  If the spam doesn't cease,
>> I'll be back.  Thanks everyone!
>>
>> Rob
>>
>
> Nuts.  I am still getting spam.  Is there any reason header_checks might
> not be enabled?  Is header_checks being run before SA processes it?

You'll pretty much always get spam. The question is how spammy does
spamassassin think it is, is it being flagged with the spam header, and is
your header check macthing it?

>
> Here's my header_checks file:
> *********************************************
> # X-Spam-Flag
> /^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag
>
> Here's my current main.cf:
> *********************************************

Without trying to be a "Master of the Obvious", are you actually getting the
X-Spam-Flag header in your messages? If you're using amavis, it may eat the
spam headers depending on configuration.

Also, you don't need the "$". at the end of the string.

FWIW, you might want to use X-Spam-Level instead of X-Spam-Flag, since it
gives you more control over how spammy something is before you take action:

/^X-Spam-Level.*\*\*\*\*\*/ HOLD

works nicely, for example.

When you fire up postfix are there any error messages in the log?

Terry


> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
>
>
> # Debian specific:  Specifying a file name will cause the first
> # line of that file to be used as the name.  The Debian default
> # is /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> readme_directory = no
>
> # TLS parameters
> smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
> smtpd_tls_key_file = /etc/ssl/private/smtpd.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> # information on enabling SSL in the smtp client.
>
> myhostname = mail.dom.ain
> alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = amd64.dom.ain, localhost.dom.ain,localhost
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_size_limit = 0
> recipient_delimiter = +
> virtual_alias_maps =
> hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
> home_mailbox = Maildir/
> content_filter = smtp-amavis:[127.0.0.1]:10024
> debug_peer_list = amd64.dom.ain
>
> unknown_local_recipient_reject_code = 550
> transport_maps = hash:/etc/postfix/transport
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth-client
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
> inet_interfaces = all
> smtpd_tls_auth_only = no
> smtpd_use_tls = yes
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> header_checks = regexp:/etc/postfix/header_checks
>
> Here's the headers from a very spammy email I just received:
> *************************************************************
> Return-Path: <[hidden email]>
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> Received: from localhost (localhost [127.0.0.1])
> by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
> for <[hidden email]>; Wed,  1 Jul 2009 10:10:54 -0700 (PDT)
> X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
> X-Spam-Flag: YES
> X-Spam-Score: 27.191
> X-Spam-Level: ***************************
> X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
> tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
> FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
> HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
> PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
> RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
> RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
> X-Spam-Report:
>   *  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>   *      [score: 1.0000]
>   *  4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
>   *  3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
>   *      IP)
>   *  3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
>   *  0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
>   *      [88.5.123.52 listed in zen.spamhaus.org]
>   *  3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
>   *  0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
>   *      [88.5.123.52 listed in dnsbl.sorbs.net]
>   *  0.0 HTML_MESSAGE BODY: HTML included in message
>   *  0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
>   *  1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>   *  1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
>   *      above 50%
>   *      [cf: 100]
>   *  0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
>   *  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
>   *      [cf: 100]
>   *  3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
>   *  0.0 DIGEST_MULTIPLE Message hits more than one network digest check
>   *  0.1 RDNS_DYNAMIC Delivered to trusted network by host with
>   *      dynamic-looking rDNS
> Received: from mail.dom.ain ([127.0.0.1])
> by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id z1oE2BXbOpmz for <[hidden email]>;
> Wed,  1 Jul 2009 10:10:49 -0700 (PDT)
> Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
> (52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
> by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
> for <[hidden email]>; Wed,  1 Jul 2009 10:10:43 -0700 (PDT)
> Received: from localhost (nr.ru [127.0.0.1])
> by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
> Wed, 1 Jul 2009 18:10:21 +0100
> (envelope-from [hidden email])
> To: Bronto <[hidden email]>
> Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
> X-PHP-Script: nr.ru/index.php
> From: íÁÒË ûÁÒÏ× <[hidden email]>
> Auto-Submitted: auto-generated
> Message-ID: <[hidden email]>
> MIME-Version: 1.0
> Content-Type: text/html; charset="koi8-r"
> Content-Transfer-Encoding: 8bit
> X-Priority: 3
> X-Mailer: IPB PHP
>
>


--
CNY Support, LLC
Web. Database. Business
http://www.cnysupport.com



Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

bronto
In reply to this post by Brian Evans - Postfix List

Brian Evans - Postfix List wrote, On 7/1/2009 10:40 AM:

>
> Do you have anything like:
> "receive_override_options=no_header_body_checks" in master.cf for the
> content_filter reinjection?
> This will not match if so.


Bingo:

-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Any negative consequences for eliminating this line, or changing it to:

-o receive_override_options=no_unknown_recipient_checks

Rob

Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Jan P. Kessler-2

> Bingo:
>
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
>
>
> Any negative consequences for eliminating this line, or changing it to:
>
> -o receive_override_options=no_unknown_recipient_checks

header_checks will be executed twice


Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

bronto


Jan P. Kessler wrote, On 7/1/2009 12:34 PM:

>> Bingo:
>>
>> -o
>> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
>>
>>
>> Any negative consequences for eliminating this line, or changing it to:
>>
>> -o receive_override_options=no_unknown_recipient_checks
>
> header_checks will be executed twice
>
>

That doesn't sound right or good. What's the right way to do this?

Rob

Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Victor Duchovni
On Wed, Jul 01, 2009 at 01:50:02PM -0700, Rob Brandt wrote:

>
>
> Jan P. Kessler wrote, On 7/1/2009 12:34 PM:
>>> Bingo:
>>>
>>> -o
>>> receive_override_options=no_header_body_checks,no_unknown_recipient_checks
>>>
>>>
>>> Any negative consequences for eliminating this line, or changing it to:
>>>
>>> -o receive_override_options=no_unknown_recipient_checks
>> header_checks will be executed twice
>
> That doesn't sound right or good. What's the right way to do this?

Nothing wrong with that, especially if your header_checks file is
reasonably short and simple (as it should be).

If you are using 2.6, you could try a multi-instance config, with
separate header checks before and after the filter.

    http://www.postfix.org/MULTI_INSTANCE_README.html

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: header checks not working

Sahil Tandon
In reply to this post by Magnus Bäck
On Wed, 01 Jul 2009, Magnus Bäck wrote:

> > Sahil Tandon wrote:
> >
> > > I prefer pcre:, but the following patterns should work with regexp:
> > > as well.
>
> No, {n} isn't supported by regexp.

It is.  As noted in regexp_table(5), each pattern is a POSIX regular
expression, whose syntax is documented in re_format(7).  For posterity (and
the interested reader), a relevant excerpt from the man page:

     A bound is `{' followed by an unsigned decimal integer, possibly followed
     by `,' possibly followed by another unsigned decimal integer, always fol-
     lowed by `}'.  The integers must lie between 0 and RE_DUP_MAX (255=)
     inclusive, and if there are two of them, the first may not exceed the
     second.  An atom followed by a bound containing one integer i and no
     comma matches a sequence of exactly i matches of the atom.  An atom fol-
     lowed by a bound containing one integer i and a comma matches a sequence
     of i or more matches of the atom. An atom followed by a bound containing
     two integers i and j matches a sequence of i through j (inclusive)
     matches of the atom.

Also see the EXAMPLE BODY FILTER MAP in regexp_table(5) for another example
of how to use bounds with regexp.

--
Sahil Tandon <[hidden email]>
1234