problem with smtpd_milter and header_checks

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

problem with smtpd_milter and header_checks

Jiri Veselsky
Hallo all. (first sorry for my english)
I have a small (big) problem with configure Postfix to drop messages with  
header_checks.
In main.cf I have:
smtpd_milters = local:/...../clamav-milter.sock  
local:/...../spamass-milter.sock
milter_default_action = accept

if I receive a message from internet, in headers are rows from milters:

X-Virus-Scanned: clamav-milter 0.95.1 at ...
X-Virus-Status: Clean
X-Spam-Flag: YES
X-Spam-Status: Yes, score=11.6 required=7.0...
X-Spam-Level: ***********
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ...

I think that milters works correctly. I save message as message.txt for  
testing.

next row in main.cf is:
header_checks = regexp:/usr/local/etc/postfix/header_checks

in header_checks file is:
/^X-Spam-Status: Yes/ DISCARD

I test it:
postmap -q - regexp:/usr/local/etc/postfix/header_checks < message.txt

I think that header_checks works, because show row:
X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD

In master.cf I configure cleanup with -v and I read a log, but rows  
X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do not  
drop messages.

Can anyone idea? Milters are after cleanup?

Thanks

Jirka
Reply | Threaded
Open this post in threaded view
|

Re: problem with smtpd_milter and header_checks

Wietse Venema
Please include "postconf -n" command output in problem reports,
as requested in the mailing list welcome message.
Reply | Threaded
Open this post in threaded view
|

Re: problem with smtpd_milter and header_checks

Robert Schetterer
In reply to this post by Jiri Veselsky
Jiri Veselsky schrieb:

> Hallo all. (first sorry for my english)
> I have a small (big) problem with configure Postfix to drop messages
> with header_checks.
> In main.cf I have:
> smtpd_milters = local:/...../clamav-milter.sock
> local:/...../spamass-milter.sock
> milter_default_action = accept
>
> if I receive a message from internet, in headers are rows from milters:
>
> X-Virus-Scanned: clamav-milter 0.95.1 at ...
> X-Virus-Status: Clean
> X-Spam-Flag: YES
> X-Spam-Status: Yes, score=11.6 required=7.0...
> X-Spam-Level: ***********
> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ...
>
> I think that milters works correctly. I save message as message.txt for
> testing.
>
> next row in main.cf is:
> header_checks = regexp:/usr/local/etc/postfix/header_checks
>
> in header_checks file is:
> /^X-Spam-Status: Yes/ DISCARD

you shouldnt discard mail, only cause flagged by spamassassin
this is not allowed i.e in germany by law, if you do this for customers

use hold ( for manual inspection ) or tell spamass-milter to reject them
at smtp income level
additionally you may load sanesecurity spam sig to clamd, clamav-milter
and reject or hold them at smtp income level


>
> I test it:
> postmap -q - regexp:/usr/local/etc/postfix/header_checks < message.txt
>
> I think that header_checks works, because show row:
> X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD
>
> In master.cf I configure cleanup with -v and I read a log, but rows
> X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do
> not drop messages.
>
> Can anyone idea? Milters are after cleanup?
>
> Thanks
>
> Jirka


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: problem with smtpd_milter and header_checks

Jiri Veselsky
In reply to this post by Wietse Venema
Sorry, here is output:

alias_database = dbm:/etc/mail/aliases.db
alias_maps = hash:/etc/mail/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
header_checks = regexp:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = x.x.x.x, 127.0.0.1, 10.1.3.254
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
milter_default_action = accept
mydestination = $mydomain
mydomain = joe.xxx.xxx
myhostname = joe.xxx.xxx
mynetworks = 127.0.0.0/8, 10.1.0.0/22
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_milters = local:/var/run/clamav/clamav-milter.sock  
local:/var/run/spamass-milter.sock
smtpd_recipient_restrictions = reject_non_fqdn_recipient        
permit_sasl_authenticated       permit_mynetworks        
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender      
permit_mynetworks       reject_rbl_client sbl-xbl.spamhaus.org  
reject_rbl_client cbl.abuseat.orgreject_rbl_client dul.dnsbl.sorbs.net    
reject_unknown_sender_domain
transport_maps = mysql:/usr/local/etc/postfix/virtual_transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/usr/local/etc/postfix/virtual_aliases.cf
virtual_gid_maps = mysql:/usr/local/etc/postfix/virtual_gids.cf
virtual_mailbox_base = /
virtual_mailbox_domains = mysql:/usr/local/etc/postfix/virtual_domains.cf
virtual_mailbox_maps = mysql:/usr/local/etc/postfix/virtual_mailboxes.cf
virtual_uid_maps = mysql:/usr/local/etc/postfix/virtual_uids.cf
Reply | Threaded
Open this post in threaded view
|

Re: problem with smtpd_milter and header_checks

Jiri Veselsky
In reply to this post by Robert Schetterer
>
> you shouldnt discard mail, only cause flagged by spamassassin
> this is not allowed i.e in germany by law, if you do this for customers
>
> use hold ( for manual inspection ) or tell spamass-milter to reject them
> at smtp income level
> additionally you may load sanesecurity spam sig to clamd, clamav-milter
> and reject or hold them at smtp income level
>
>
I do it for our company and top-managers says "drop every emails with spam  
level 7 or higher"
I am small man, I do what managers says :-(

J.
Reply | Threaded
Open this post in threaded view
|

Re: problem with smtpd_milter and header_checks

Wietse Venema
In reply to this post by Jiri Veselsky
Jiri Veselsky:
[ Charset ISO-8859-2 unsupported, converting... ]

> Hallo all. (first sorry for my english)
> I have a small (big) problem with configure Postfix to drop messages with  
> header_checks.
> In main.cf I have:
> smtpd_milters = local:/...../clamav-milter.sock  
> local:/...../spamass-milter.sock
> milter_default_action = accept
>
> if I receive a message from internet, in headers are rows from milters:
>
> X-Virus-Scanned: clamav-milter 0.95.1 at ...
> X-Virus-Status: Clean
> X-Spam-Flag: YES
> X-Spam-Status: Yes, score=11.6 required=7.0...
> X-Spam-Level: ***********
> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ...
>
> I think that milters works correctly. I save message as message.txt for  
> testing.
>
> next row in main.cf is:
> header_checks = regexp:/usr/local/etc/postfix/header_checks
>
> in header_checks file is:
> /^X-Spam-Status: Yes/ DISCARD
>
> I test it:
> postmap -q - regexp:/usr/local/etc/postfix/header_checks < message.txt
>
> I think that header_checks works, because show row:
> X-Spam-Status: Yes, score=11.6 required=7.0... DISCARD
>
> In master.cf I configure cleanup with -v and I read a log, but rows  
> X-Virus... and X-Spam are not in log, that is (I mean) why cleanup do not  
> drop messages.
>
> Can anyone idea? Milters are after cleanup?

Postfix header_checks happen while mail is received.

Milters can add headers only after the end of the email message is
received. That is a feature of the Milter protocol.

The Milter protocol has a DISCARD feature. If you can configure
your application to send SMFIR_DISCARD into Postfix then you are
done.

On the other hand, if header_checks are the only way, it will take
new code (not happening soon) or extra configuration (see example
below).

No code has been written to apply header_checks and body_checks
when Milters add or modify the message content. The question has
never come up, so that could be called an oversight. I don't have
much time to write new code soon, so the next option is better.

You can work around this with a null content filter (Postfix
SMTP client talking directly to Postfix SMTP server on port
10025). Below is a basic example; the text in FILTER_README
provides configurations with more bells and whistles.

/etc/postfix/master.cf:
1  # ====================================================================
2  # service type  private unpriv  chroot  wakeup  maxproc command + args
3  #               (yes)   (yes)   (yes)   (never) (100)
4  # ====================================================================
5  smtp      inet  n       -       n       -       -       smtpd
6      -o content_filter=smtp:127.0.0.1:10025
7  127.0.0.1:10025 inet  n -       n       -       -       smtpd
8      -o content_filter=

Line 5-6: this is the Internet-facing SMTP server. We add a content
filter setting that sends mail into localhost port 10025.

Line 7-8: this is an internal SMTP server that receives mail with
the Milter-added headers. This is then subject to header_checks
in the way that you expect it to work. For safety it kills off
any content_filter settings from main.cf.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: problem with smtpd_milter and header_checks

Jiri Veselsky
> Postfix header_checks happen while mail is received.
>
> Milters can add headers only after the end of the email message is
> received. That is a feature of the Milter protocol.
>
> The Milter protocol has a DISCARD feature. If you can configure
> your application to send SMFIR_DISCARD into Postfix then you are
> done.
>
> On the other hand, if header_checks are the only way, it will take
> new code (not happening soon) or extra configuration (see example
> below).
>
> No code has been written to apply header_checks and body_checks
> when Milters add or modify the message content. The question has
> never come up, so that could be called an oversight. I don't have
> much time to write new code soon, so the next option is better.
>
> You can work around this with a null content filter (Postfix
> SMTP client talking directly to Postfix SMTP server on port
> 10025). Below is a basic example; the text in FILTER_README
> provides configurations with more bells and whistles.
>
> /etc/postfix/master.cf:
> 1  # ====================================================================
> 2  # service type  private unpriv  chroot  wakeup  maxproc command + args
> 3  #               (yes)   (yes)   (yes)   (never) (100)
> 4  # ====================================================================
> 5  smtp      inet  n       -       n       -       -       smtpd
> 6      -o content_filter=smtp:127.0.0.1:10025
> 7  127.0.0.1:10025 inet  n -       n       -       -       smtpd
> 8      -o content_filter=
>
> Line 5-6: this is the Internet-facing SMTP server. We add a content
> filter setting that sends mail into localhost port 10025.
>
> Line 7-8: this is an internal SMTP server that receives mail with
> the Milter-added headers. This is then subject to header_checks
> in the way that you expect it to work. For safety it kills off
> any content_filter settings from main.cf.
>
> Wietse
>

Many thanks, I try it...

J.
Reply | Threaded
Open this post in threaded view
|

Re: problem with smtpd_milter and header_checks

Robert Schetterer
In reply to this post by Jiri Veselsky
Jiri Veselsky schrieb:

>>
>> you shouldnt discard mail, only cause flagged by spamassassin
>> this is not allowed i.e in germany by law, if you do this for customers
>>
>> use hold ( for manual inspection ) or tell spamass-milter to reject them
>> at smtp income level
>> additionally you may load sanesecurity spam sig to clamd, clamav-milter
>> and reject or hold them at smtp income level
>>
>>
> I do it for our company and top-managers says "drop every emails with
> spam level 7 or higher"
> I am small man, I do what managers says :-(
>
> J.

jep do this with reject and i.e spamass-milter -r 7 ....
why searching about other solutions if the right one is allready there
and you allready have spamass-milter setup

SpamAssassin Sendmail Milter Plugin

Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]
                      [-e defaultdomain] [-f] [-i networks] [-m] [-M]
                      [-P pidfile] [-r nn] [-u defaultuser] [-x] [-a]
                      [-- spamc args ]
   -p socket: path to create socket
 -a: don't scan messages over an authenticated connexion.
   -b bucket: redirect spam to this mail address.  The orignal
          recipient(s) will not receive anything.
   -B bucket: add this mail address as a BCC recipient of spam.
   -d xx[,yy ...]: set debug flags.  Logs to syslog
   -D host: connect to spamd at remote host (deprecated)
   -e defaultdomain: pass full email address to spamc instead of just
          username.  Uses 'defaultdomain' if there was none
   -f: fork into background
   -i: skip (ignore) checks from these IPs or netblocks
          example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0
   -m: don't modify body, Content-type: or Subject:
   -M: don't modify the message at all
   -P pidfile: Put processid in pidfile
   -r nn: reject messages with a score >= nn with an SMTP error.
          use -1 to reject any messages tagged by SA.
   -u defaultuser: pass the recipient's username to spamc.
          Uses 'defaultuser' if there are multiple recipients.
   -x: pass email address through alias and virtusertable expansion.
   -- spamc args: pass the remaining flags to spamc.



--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

milter_header_checks (was: problem with smtpd_milter and header_checks)

Wietse Venema
In reply to this post by Jiri Veselsky
Jiri Veselsky:

> X-Virus-Scanned: clamav-milter 0.95.1 at ...
> X-Virus-Status: Clean
> X-Spam-Flag: YES
> X-Spam-Status: Yes, score=11.6 required=7.0...
> X-Spam-Level: ***********
> X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ...
>
> I think that milters works correctly. I save message as message.txt for  
> testing.
>
> next row in main.cf is:
> header_checks = regexp:/usr/local/etc/postfix/header_checks
>
> in header_checks file is:
> /^X-Spam-Status: Yes/ DISCARD

I have added header checks for Milter-generated mail headers.
The feature is called "milter_header_checks".

It is available from Postfix mirrors as postfix-2.7-20090607, and
also available as an optional patch for Postfix 2.6.

        Wietse

milter_header_checks (default: empty)

    Optional  lookup  tables for content inspection of message headers that
    are produced by Milter applications.  See the  header_checks(5)  manual
    page available actions. Currently, PREPEND is not implemented.

    The  following  example sends all mail that is marked as SPAM to a spam
    handling machine. Note that matches are case-insensitive by default.

        /etc/postfix/main.cf:
            milter_header_checks = pcre:/etc/postfix/milter_header_checks

        /etc/postfix/milter_header_checks:
            /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25

    The milter_header_checks mechanism could also be used for whitelisting.
    For  example  it  could  be  used to skip heavy content scans for DKIM-
    signed mail from known friendly domains.

    This feature is available in Postfix 2.7, and as an optional patch  for
    Postfix 2.6.