MacShane, Tracy wrote:
I'm trying to create a very simple body check for a limited time to get
an indicative idea of how many users may be sending credit card numbers
via email. I have a simple pcre body_check map that is logging a warning
when it encounters a match. Unfortunately, the entire message line that
triggers the warning is added to the mail log, naturally with the
potential credit card number in plain text.
cat /etc/postfix/body_checks.pcre
/\b(?:\d[ -]*){13,16}\b/ WARN Credit card number
Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
body text 1243 1211 1232 1232 blah blah from
localhost.localdomain[127.0.0.1]; from=<[EMAIL PROTECTED]>
to=test.user <mailto:[EMAIL PROTECTED]> @
<mailto:[EMAIL PROTECTED]> domain.example.com proto=SMTP
helo=<server.example.com>: Credit card number
Our security people are having wibbles about this logging regime, so I
was wondering if there was some way to ensure the WARN action doesn't
log the matched line (I can obviously append a truncated version of the
apparent number with the optional text), or if there might be a better
way to do this auditing task.
you can use HOLD, then have a cron job to check the message and release it.
Alternatively, you can use FILTER to pass the message to another smtpd.
example:
== body_checks:
/..../ FILTER filter:[127.0.0.1]:25666
== master.cf
127.0.0.1:25666 ..... smtpd
-o syslog_name=postwatch
-o receive_override_options=no_address_mappings
-o mynetworks=127.0.0.1
-o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
...
== main.cf
smtpd666_recipient_restrictions=
check_client_access pcre:/etc/postfix/logcard
permit_mynetworks
reject
== logcard
/./ WARN credit card blah blah
note that this will override your content filter setting. if you had
one, then make sure it is used in the :25666 smtpd (either explicit -o
content_filter=... in master.cf, or a content_filter=... in main.cf will
do).
PS. if you use clamav, check its Data Loss Protection feature.
