header_checks question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

header_checks question

jmpatagonia
Hello I need help to using header_checks, I create a rule

/^Subject:.*hacked*/ DISCARD

that work propertly, but a want to know it is posible to email me o to alert
me when this rule occur or is aplicated. For some way. Oviusly I see that on
the mail.log

regards



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: header_checks question

Wietse Venema
jmpatagonia:
> Hello I need help to using header_checks, I create a rule
>
> /^Subject:.*hacked*/ DISCARD

An alternative is to use HOLD action, assuming you aren't using
software that hijacks the HOLD feature for other purposes, such as
mailscanner. Then you can review the email with "postcat -q" and
delete it with "postsuper -d".

> that work propertly, but a want to know it is posible to email me o to alert
> me when this rule occur or is aplicated. For some way. Oviusly I see that on
> the mail.log

A logfile scanner such as fail2ban could do that for you. Ideally
there is a rate limit so that you won't be email bombed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: header_checks question

jmpatagonia
Hello Witse do you mean to use HOLD action on header_checks ?

like this ?

/^Subject:.*hacked*/ HOLD

And that whats suppose to do ?

It is holded the email on the queue ?  and I can check with mailq command ? and later detele from queue and email me a alert

Sorry for ask and not try, because we have only enviroment on producction and dont make a misstake on the service.

Regards






El lun., 27 abr. 2020 a las 12:59, Wietse Venema (<[hidden email]>) escribió:
jmpatagonia:
> Hello I need help to using header_checks, I create a rule
>
> /^Subject:.*hacked*/ DISCARD

An alternative is to use HOLD action, assuming you aren't using
software that hijacks the HOLD feature for other purposes, such as
mailscanner. Then you can review the email with "postcat -q" and
delete it with "postsuper -d".

> that work propertly, but a want to know it is posible to email me o to alert
> me when this rule occur or is aplicated. For some way. Oviusly I see that on
> the mail.log

A logfile scanner such as fail2ban could do that for you. Ideally
there is a rate limit so that you won't be email bombed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: header_checks question

Matus UHLAR - fantomas
On 27.04.20 13:27, Juan Manuel P wrote:
>Hello Witse do you mean to use HOLD action on header_checks ?
>
>like this ?
>
>/^Subject:.*hacked*/ HOLD
>
>And that whats suppose to do ?

if Wietse's message wasn't enough for you, I recommend looking at
http://www.postfix.org/header_checks.5.html

>It is holded the email on the queue ?  and I can check with mailq command ?
>and later detele from queue and email me a alert
>
>Sorry for ask and not try, because we have only enviroment on producction
>and dont make a misstake on the service.

>El lun., 27 abr. 2020 a las 12:59, Wietse Venema (<[hidden email]>)
>escribió:
>
>> jmpatagonia:
>> > Hello I need help to using header_checks, I create a rule
>> >
>> > /^Subject:.*hacked*/ DISCARD
>>
>> An alternative is to use HOLD action, assuming you aren't using
>> software that hijacks the HOLD feature for other purposes, such as
>> mailscanner. Then you can review the email with "postcat -q" and
>> delete it with "postsuper -d".
>>
>> > that work propertly, but a want to know it is posible to email me o to
>> alert
>> > me when this rule occur or is aplicated. For some way. Oviusly I see
>> that on
>> > the mail.log
>>
>> A logfile scanner such as fail2ban could do that for you. Ideally
>> there is a rate limit so that you won't be email bombed.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
Reply | Threaded
Open this post in threaded view
|

Re: header_checks question

Wietse Venema
In reply to this post by jmpatagonia
Juan Manuel P:
> Hello Witse do you mean to use HOLD action on header_checks ?
>
> like this ?
>
> /^Subject:.*hacked*/ HOLD

By the way that "*" at the end is useless.

> And that whats suppose to do ?
>
> It is holded the email on the queue ?  and I can check with mailq command ?
> and later detele from queue and email me a alert

Yes, as described in my reply.

    Then you can review the email with "postcat -q" and
    delete it with "postsuper -d".

> Sorry for ask and not try, because we have only enviroment on producction
> and dont make a misstake on the service.

Then DISCARD should be considered unsafe, as it is irreversible.
HOLD is safer because it can be undone with "postsuper -H".

        Wietse