Re: header_checks

[Magnus Bäck]

On Saturday, May 08, 2010 at 06:19 CEST,
 James Logan  wrote:

> On Thu, May 6, 2010 at 7:02 AM, J.D. Bronson wrote:
> 
> > I am seeing random spam come in with this consistent type of 'from':
> >
> > (r...@www.cheapquotesonline.com)
> > (r...@chat.biznizpro.com)
> > (r...@safetyaboutonline.net)
> >
> > ..they all begin with 'ret@' and I need some help creating a
> > header_check (and/or body check) to catch this.
> >
> > I tried this, but it didnt work:
> >
> > /^From:.ret@/REJECT unsolicited email
>
> Easy fix - we always escape the @ character with a black slash, like
> ret\@, on several servers where we use regular expressions in postfix
> header_checks.

No, this doesn't fix the OP's problem. The @ character is not a regular
expression meta character and does not require escaping.

Please do not top-post.

-- 
Magnus Bäck
mag...@dsek.lth.se

RE: Php hook for all my emails

[Mark Scholten]

> -Original Message-
> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of mouss
> Sent: Friday, May 07, 2010 11:51 PM
> To: postfix users
> Subject: Re: Php hook for all my emails
> 
> Andrés Gattinoni a écrit :
> > On Fri, May 7, 2010 at 5:29 PM, Noel Jones 
> wrote:
> >> On 5/7/2010 2:53 PM, Andrés Gattinoni wrote:
> >> Here's an example of a shell script that receives all mail.
> Shouldn't be
> >> much of a stretch to use PHP instead.
> >> http://www.postfix.org/FILTER_README.html#simple_filter
> >>
> >> If you still want to use amavisd-new, then use multiple postfix
> instances
> >> for each filter hop.
> >>
> >> Another alternative is to integrate your code into amavisd-new,
> either as a
> >> custom hook or as a pseudo antivirus scanner.  Check the amavis-
> users
> >> archives for other folks doing similar things.
> >
> > Thanks for your response Noel.
> > I've checked out that link. The thing is that I don't actually to do
> > any filtering inside my script, I just need to gather some
> > information.
> 
> What kind of information? if it's just about envelope, then logs are
> enough.
I am now doing it by parsing the logs, but I want to get the following 
information in a MySQL database (currently I get it from the logs, but that 
takes a few hours to parse for 1 day logs). I currently log the following data 
in a MySQL database:
- sender (email address)
- receiver (email address)
- IP sender (from where did postfix receive it)
- date/time (when)
I would like to add: subject (but I didn't find a solution yet for that). Also 
doing it "realtime" and not with a delay (as we don't do parse it every minute 
and putting it in a database when we receive the information would be great).

What do you think is the best solution?
> 
> > Maybe there's an easier way that I can do that without having to call
> > sendmail again.
> >
> > [snip]

Re: Postfix smtpd_recipient_restrictions not working... please help.

[mouss]

Andrew Grant a écrit :
> Can you offer a suggestion on how this SHOULD be done? I am trying to
> check the "recipient" because I want to limit who can send to the
> "recipient" address of management.t...@testdomain.com.
> 

you already do check_recipient_access to call the restriction class. now
in the restriction class, you want check_sender_access.

> Can you please suggest how I can modify my current config to make this
> work the way I had intended?
> 

simply change mgmt_access:

mgmt_access =
check_sender_access hash:/etc/postfix/mgmt_access
reject

> [snip]

Re: Php hook for all my emails

[mouss]

Mark Scholten a écrit :
> [snip]
> I am now doing it by parsing the logs, but I want to get the following 
> information in a MySQL database (currently I get it from the logs, but that 
> takes a few hours to parse for 1 day logs).
> I currently log the following data in a MySQL database:
> - sender (email address)
> - receiver (email address)
> - IP sender (from where did postfix receive it)
> - date/time (when)
> I would like to add: subject (but I didn't find a solution yet for that).

if you keep using logs, then you can use header_checks to log the subject:

/^Subject:/ WARN blahblah

DISCLAIMER: The above is a technical answer to a technical question. It
is not a recommendation. Subject logging may introduce privacy issues.

> Also doing it "realtime" and not with a delay (as we don't do parse it every 
> minute and putting it in a database when we receive the information would be 
> great).
> 

you have many options:

- keep using a log parser. you can "tail -F $logfile | yourscript" or
call the parser often enough (use seek() to avoid re-parsing).
alternatively, you can mkfifo and log a copy to the fifo... (People do
this with syslog-ng).

- write a content_filter. you can use a pipe based filter (see the
CONTENT FILTER README). but you need to be careful... (yes, you need to
resubmit mail via sendmail...)
(if you already use amavisd-new and feel confortable writing perl code,
then you can do that from inside amavisd-new).

- write a milter.

- you can deliver a copy of mail to a program that does what you want.
for example

bcc_recipient_maps = pcre:/etc/postfix/bcc_recipient.pcre

== bcc_recipient.pcre:
/(.*)@(example\.com)$/  $...@bcc.example.com

== transport
bcc.example.com loggit:

and define "loggit" in master.cf.



> What do you think is the best solution?

I prefer log parsing because it doesn't interfere with mail flow. you
can stop it when you want and start it again, without touching
postfix... but it's just my opinion.

>>> Maybe there's an easier way that I can do that without having to call
>>> sendmail again.

with a content_filter, you need to resubmit mail, either via sendmail or
via smtp (if you chose tha letter, don't resubmit to the same port as
that would create an infinite loop. add a new smtpd listener which
doesn't trigger the content filter. as you see, this is more work than
with sendmail, and is probably not worth the pain in your case).

>>>
>>> [snip]
> 

Re: Php hook for all my emails

[Reinaldo de Carvalho]

On Sat, May 8, 2010 at 9:37 AM, Mark Scholten  wrote:
> I am now doing it by parsing the logs, but I want to get the following 
> information in a MySQL database (currently I get it from the logs, but that 
> takes a few hours to parse for 1 day logs). I currently log the following 
> data in a MySQL database:
> - sender (email address)
> - receiver (email address)
> - IP sender (from where did postfix receive it)
> - date/time (when)
> I would like to add: subject (but I didn't find a solution yet for that). 
> Also doing it "realtime" and not with a delay (as we don't do parse it every 
> minute and putting it in a database when we receive the information would be 
> great).
>

You can log headers as subject with header_checks.

> What do you think is the best solution?
>>

LogProcessor (http://sf.net/projects/logprocessor) provide a cool
engine to load logfile in real-time to a database.

Each module is a class, then is easy to implement support for new log
formats. Postfix module isn't complete, and you can contribute with
the project. Some modules like to Iptables are available.


-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)

Re: ?best practice to stop " root+:|" exploits

[Wietse Venema]

ed:
> can someone beat me with a clue bat to get me started in the right 
> direction to best practice to stop; " root+:|" exploits
> (or is this something that I should move over to spam-l, or some other spot?

You run an MTA that is immune against such attacks (such as Postfix),
and you do the same with other mail handling software.

Wietse

lpr notifications thru postfix

[Jamal Mubarak]

I have postfix installed and configured on my Mac OS 10.6.3 machines.  It works 
correctly because the unix mail program works fine and sendmail interface can 
send emails as well.  However, I encounter this strange problem.  The printing 
commands, lpr and lp, have the -m switch which sends an e-mail on completion of 
a print job.  This email is not delivered and in /var/log/mail.log I see the 
following error:

May  7 00:00:04 MacBookPro postfix/sendmail[6309]: fatal: execvp 
/usr/sbin/postdrop: Operation not permitted
May  7 00:00:05 MacBookPro postfix/sendmail[6308]: warning: command 
"/usr/sbin/postdrop -r" exited with status 1
May  7 00:00:05 MacBookPro postfix/sendmail[6308]: fatal: _lp(26): unable to 
execute /usr/sbin/postdrop -r: Unknown error: 0

Can someone give me a clue as to what is wrong?  Funny thing is that sometimes 
it starts working on its own and then stops again.

Jamal

Re: ?best practice to stop " root+:|" exploits

[ed]

On 05/08/2010 06:50 PM, Wietse Venema wrote:

ed:
   

can someone beat me with a clue bat to get me started in the right
direction to best practice to stop; " root+:|" exploits
(or is this something that I should move over to spam-l, or some other spot?
 

You run an MTA that is immune against such attacks (such as Postfix),
and you do the same with other mail handling software.

Wietse

   

thank you (for all of those points).

Re: Php hook for all my emails

[David Touzeau]

On 07/05/2010 23:51, mouss wrote:

Andrés Gattinoni a écrit :

On Fri, May 7, 2010 at 5:29 PM, Noel Jones  wrote:

On 5/7/2010 2:53 PM, Andrés Gattinoni wrote:
Here's an example of a shell script that receives all mail. Shouldn't be
much of a stretch to use PHP instead.
http://www.postfix.org/FILTER_README.html#simple_filter

If you still want to use amavisd-new, then use multiple postfix instances
for each filter hop.

Another alternative is to integrate your code into amavisd-new, either as a
custom hook or as a pseudo antivirus scanner.  Check the amavis-users
archives for other folks doing similar things.


Thanks for your response Noel.
I've checked out that link. The thing is that I don't actually to do
any filtering inside my script, I just need to gather some
information.


What kind of information? if it's just about envelope, then logs are
enough.


Maybe there's an easier way that I can do that without having to call
sendmail again.

[snip]



Noel Jones help you on the right way... better is to hook amavis instead 
adding a new command-line in php that will reduce dramatically Postfix 
processing.


I know is not very well documented on Amavis, but this a starting help,

you will see it easy.

Add in your amavisd.conf

include_config_files('path-to-your-perl-script.conf');




In path-to-your-perl-script.conf

package Amavis::Custom;
use strict;
#use Net::LDAP;
#use Config::IniFiles;
#use Geo::IP;
use File::Copy;
use File::stat;
use POSIX qw(ceil floor);
use Unix::Syslog qw(:macros);  # Syslog macros
use Unix::Syslog qw(:subs);# Syslog functions

BEGIN {
  import Amavis::Conf qw(:platform :confvars c cr ca $myhostname);
  import Amavis::Util qw(do_log untaint safe_encode safe_decode);
  import Amavis::rfc2821_2822_Tools;
  import Amavis::Notify qw(build_mime_entity);
}



sub new {
  my($class,$conn,$msginfo) = @_;
  bless {}, $class;


}

sub before_send {
  my($self,$conn,$msginfo) = @_;
## do what you want before routing message to final destination.
  $self;
}

# main function that allows you to hook amavis filtering

sub checks {
   #$r->recip_addr_modified($new_addr);  # replaces delivery address!
  my($self,$conn,$msginfo) = @_;
  my($client_ip) = $msginfo->client_addr;
  my $bann_reason='';
  my $sender_domain='';
  my($log_id)=$msginfo->log_id;
  my($tempdir) = $msginfo->mail_tempdir;
  my $recipient_domain;
  my($received)=$msginfo->get_header_field_body('received');
  my($kasrate)= trim($msginfo->get_header_field_body('X-SpamTest-Rate'));
  my($mail_file_name) = $msginfo->mail_text_fn;
  my($sender_address)=$msginfo->sender;
  $message_id=Mydecode($msginfo->get_header_field_body('message-id'));
  $message_id=~ s///g;
 #Add header token
$msginfo->header_edits->add_header('X-YOUR-scanner','0.00');


# ($country_name,$region_name,$city)=ScanGeoIP($last_recived); Example 
to using geoip


$sender_address=~ m/(.+?)@(.+)/;
$sender_domain=$2;

#Example log trough amavis loger
  do_log(0, "%s my-plugin: client's IP [%s], last [%s] sender: <%s>, 
X-SpamTest-Rate: 
%s",$message_id,$client_ip,$last_recived,$sender_address,'');


# change the Amavis behavior using specific class 
Amavis::load_policy_bank('killAll');


$self;
}

1;  # insure a defined return

Re: [RCPT: Stopping automated emails]

[Ricardo Carrillo]

I like a firewall for incoming mail, thanks for the tio :p

2010/5/6 Helga Mayer 

> Quoting The Doctor :
>
>  - Forwarded message from   -
>>
>> X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
>> doctor.nl2k.ab.ca
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
>>version=3.3.1
>> X-Virus-Scanned: amavisd-new at doctor.nl2k.ab.ca
>> Date: Thu, 6 May 2010 10:00:55 -0400 (EDT)
>> Subject: Stopping automated emails
>> User-Agent: Alpine 2.00 (NEB 1167 2008-08-23)
>> X-Mailer: Alpine.BSD.0.999
>>
>> I am the current holder of the email address TARGET
>>
>> I believe that a prior owner of this address had services with you.
>> I receive hundreds of emails per month like the one forwarded below
>> from OFFENDER
>>
>> I am requesting that you please stop sending these emails to me.
>> If you need to confirm authenticity, please communicate with me at
>> the same address: TARGET and I will reply to it.
>>
>> Please help, I get more than 1,000 emails from OFFENDER
>> per month. I need this to stop.
>> Thank you
>>
>> --
>> SDF Public Access UNIX System - http://sdf.lonestar.org
>> SDF runs on NetBSD - http://www.netbsd.org
>>
>>
>> -- Forwarded message --
>> Return-Path: 
>> Received: by doctor.nl2k.ab.ca (Postfix, from userid 51)
>>id E124312CFA90; Sun, 11 Apr 2010 15:07:26 -0600 (MDT)
>> Subject: PHPOM =>   DOWN
>> Message-Id: <20100411210726.e124312cf...@doctor.nl2k.ab.ca>
>> Date: Sun, 11 Apr 2010 15:07:26 -0600 (MDT)
>>
>> d...@freeshell.org
>> X-Mailer:PHP/5.2.8
>>
>>  DOWN
>>
>> - End forwarded message -
>>
>> My question is how do you stop a
>>
>> From: u...@fully.qualified.dom  To: r...@other.qualified.dom
>>
>> via Postfix?
>>
>
> Restriction classes.
>
> in main.cf
> smtpd_restriction_classes = no_ancient_sender
> no_ancient_sender=check_sender_access regexp:/etc/postfix/ancient_sender
>
> in main.cf under smtpd_recipient_restrictions
> check_recipient_access regexp:/etc/postfix/heritage_recipients,
>
> in /etc/postfix/ancient_sender
> /u...@fully\.qualified\.dom$/ REJECT do not send mail to this recipient
>
> in /etc/postfix/heritage_recipients
> /r...@other\.qualified\.dom$/ no_ancient_sender
>
> If you look for a more general solution try http://postfwd.org/
>
> --
> HM
>
>
>
>> --
>>
>> Member - Liberal International  This is doc...@nl2k.ab.ca Ici
>> doc...@nl2k.ab.ca
>> God, Queen and country! Never Satan President Republic! Beware AntiChrist
>> rising!
>> http://twitter.com/rootnl2k http://www.facebook.com/dyadallee
>> UK Time for a Common Sense change vote Liberal Democrat / Alliance
>>
>>
>
>
>


-- 

:: L.I. Ricardo D. Carrillo Sánchez
:: Security Specialist
:: Universidad Nacional Autonoma de Mexico::
:: Ciudad Universitaria  , D.F. Mex

:: e-mail prim.: davxoc at gmai dot com
:: e-mail secu.: davxoc at hotmail dot com
:

Filter before delivery without procmail or maildrop

[Bruno Ribeiro da Silva]

Hi all,

Is it possible to filter incoming messages before mailbox delivery
without use of procmail or maildrop?

I'm trying to use osbf-lua spamfilter, I setup this with postfix
after-queue filter http://www.postfix.org/FILTER_README.html
but it's not what I want, because outgoing mails are being classified
too. So is there a way to do filtering only on moment before delivery?
I'm using virtual transport.

Thanks in advance!

Re: Filter before delivery without procmail or maildrop

[Ricardo Carrillo]

Yes, you can check grey listing topics and dns black list topics, all
incomming mail is procesed before arrive to the server with this features.



:: L.I. Ricardo D. Carrillo Sánchez
:: Security Specialist
:: Universidad Nacional Autonoma de Mexico::
:: Ciudad Universitaria  , D.F. Mex

:: e-mail prim.: davxoc at gmai dot com
:: e-mail secu.: davxoc at hotmail dot com
:


On Sat, May 8, 2010 at 6:11 PM, Bruno Ribeiro da Silva <
cont...@brunoribeiro.org> wrote:

> Hi all,
>
> Is it possible to filter incoming messages before mailbox delivery
> without use of procmail or maildrop?
>
> I'm trying to use osbf-lua spamfilter, I setup this with postfix
> after-queue filter http://www.postfix.org/FILTER_README.html
> but it's not what I want, because outgoing mails are being classified
> too. So is there a way to do filtering only on moment before delivery?
> I'm using virtual transport.
>
> Thanks in advance!
>

Re: Filter before delivery without procmail or maildrop

[Reinaldo de Carvalho]

On Sat, May 8, 2010 at 8:11 PM, Bruno Ribeiro da Silva
 wrote:
> Hi all,
>
> Is it possible to filter incoming messages before mailbox delivery
> without use of procmail or maildrop?
>
> I'm trying to use osbf-lua spamfilter, I setup this with postfix
> after-queue filter http://www.postfix.org/FILTER_README.html
> but it's not what I want, because outgoing mails are being classified
> too.

'outgoing mails' isn't correct concept because all mails incoming and
outgoing. You want to say 'mails from local subnet or authenticated
connection are being processeds'.

You can disable content_filter option, and use 'FILTER' action in
restriction to enable content_filter and avoid process local messages
(as documented).

smtpd__restricions =
permit_mynetoworks,
permit_sasl_authenticated,
check__access regexp:/etc/posfix/filter.regexp


# /etc/posfix/filter.regexp
/./  filter spamfilter:


Or open another smtp port (smtpd), disable content_filter on this
port, and setup local clients to use this port (as documented).

> So is there a way to do filtering only on moment before delivery?
> I'm using virtual transport.
>
> Thanks in advance!
>



-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)