On 5/2/2013 10:53 PM, Nick Bright wrote:
Well, I feel a little silly. I posted the wrong version of the file! Correct version attached. My apologies!Greetings,After having a problem with a lot of mail being queued by a compromised end users mailbox, I was unable to find a script able to remove messages from the queue based on the sasl_username.The pfdel script is very handy for removing things when the from/to addresses are stable, but in this case the attacker had set random from addresses.So, I used the original pfdel script and modified it into the attached pfsasl script. I'm a novice with perl, so there may be some optimizations possible - but it does work properly.I hope somebody finds this useful :)
The differences are renaming $email_addr to $sasl_user for clarity, and the regex on line 41 was made tighter.
-- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information& 30 day free trial at - - http://www.valnet.net/services/valnet-vault - -----------------------------------------------
#!/usr/bin/perl -w
##
## This script was created by modifying pfdel. Unfortunately, pfdel had no
license
## information and no contact information to contribute the script back.
##
## This script is public domain with no copyright claimed.
##
## pfsasl - deletes messages containing specified sasl_username from
## Postfix queue. Matches either sender or recipient address.
##
## Usage: pfsasl <sasl_username>
##
use strict;
# Change these paths if necessary.
my $LISTQ = "/usr/sbin/postqueue -p";
my $POSTCAT = "/usr/sbin/postcat -q";
my $POSTSUPER = "/usr/sbin/postsuper";
my $sasl_user = "";
my $qid = "";
my $euid = $>;
if ( @ARGV != 1 ) {
die "Usage: pfsasl <sasl_username>\n";
} else {
$sasl_user = $ARGV[0];
}
if ( $euid != 0 ) {
die "You must be root to delete queue files.\n";
}
open(QUEUE, "$LISTQ |") ||
die "Can't get pipe to $LISTQ: $!\n";
my $entry = <QUEUE>;# skip single header line
$/ = "";# Rest of queue entries print on
# multiple lines.
while ( $entry = <QUEUE> ) {
($qid) = split(/\s+/, $entry, 2);$qid =~ s/[\*\!]//;
open(MESSAGE, "$POSTCAT $qid |") ||
die "Can't get pipe to $POSTCAT: $!\n";
my $msg = '';#create variable
$/ = ""; # multiline thingie from above
while ( $msg = <MESSAGE> ) {
if($msg =~ /sasl_username=$sasl_user/m ) {
#we have a match!
print "Found match in $qid...\n";
# delete message here after debugging the rest is
finished
#
# Execute postsuper -d with the queue id.
# postsuper provides feedback when it deletes
# messages. Let its output go through.
#
if ( system($POSTSUPER, "-d", $qid) != 0 ) {
# If postsuper has a problem, bail.
die "Error executing $POSTSUPER: error " .
"code " . ($?/256) . "\n";
}
next;
}
}
} # end of main WHILE loop
close(QUEUE);
if (! $qid ) {
die "No messages with the sasl_username <$sasl_user> " .
"found in queue.\n";
}
exit 0;
smime.p7s
Description: S/MIME Cryptographic Signature
