Daniel Reinhardt
Website: www.cryptodan.com
Email: [EMAIL PROTECTED]
Junior Network Security Engineer
----- Original Message ----
> From: mouss <[EMAIL PROTECTED]>
> To: Postfix users <postfix-users@postfix.org>
> Sent: Friday, November 14, 2008 7:58:45 AM
> Subject: Re: Body checks and warning log
>
> MacShane, Tracy wrote:
> > I'm trying to create a very simple body check for a limited time to get
> > an indicative idea of how many users may be sending credit card numbers
> > via email. I have a simple pcre body_check map that is logging a warning
> > when it encounters a match. Unfortunately, the entire message line that
> > triggers the warning is added to the mail log, naturally with the
> > potential credit card number in plain text.
> > cat /etc/postfix/body_checks.pcre
> > /\b(?:\d[ -]*){13,16}\b/ WARN Credit card number
> >
> > Nov 14 11:54:28 smtptest postfix/cleanup[21394]: 98D7015E0091: warning:
> > body text 1243 1211 1232 1232 blah blah from
> > localhost.localdomain[127.0.0.1]; from=
> > to=test.user @
> > domain.example.com proto=SMTP
> > helo=: Credit card number
> >
> > Our security people are having wibbles about this logging regime, so I
> > was wondering if there was some way to ensure the WARN action doesn't
> > log the matched line (I can obviously append a truncated version of the
> > apparent number with the optional text), or if there might be a better
> > way to do this auditing task.
> >
>
>
> you can use HOLD, then have a cron job to check the message and release it.
>
> Alternatively, you can use FILTER to pass the message to another smtpd.
> example:
>
>
> == body_checks:
> /..../ FILTER filter:[127.0.0.1]:25666
>
> == master.cf
> 127.0.0.1:25666 ..... smtpd
> -o syslog_name=postwatch
> -o receive_override_options=no_address_mappings
> -o mynetworks=127.0.0.1
> -o smtpd_recipient_restrictions=${smtpd666_recipient_restrictions}
> ...
>
> == main.cf
> smtpd666_recipient_restrictions=
> check_client_access pcre:/etc/postfix/logcard
> permit_mynetworks
> reject
>
> == logcard
> /./ WARN credit card blah blah
>
>
> note that this will override your content filter setting. if you had one,
> then
> make sure it is used in the :25666 smtpd (either explicit -o
> content_filter=...
> in master.cf, or a content_filter=... in main.cf will do).
>
> PS. if you use clamav, check its Data Loss Protection feature.
Do you have American Express cards covered and other store based credit cards?
Also do you account for the expiration date and 3 digit security code?
