Loading ...
Sorry, an error occurred while loading the content.

Re: clarification for smtpd milters and header/body checks

Expand Messages
  • Noel Jones
    ... No, header_checks aren t applied to headers added by a milter. I suppose you have a content_filter and the bounces are caused by the after-filter postfix
    Message 1 of 4 , Aug 1, 2007
    • 0 Attachment
      At 11:59 PM 8/1/2007, Marshal Newrock wrote:
      >Is it possible to use header/body checks to reject mail after it goes
      >through a milter?
      >
      >I am trying to use spamass-milter with postfix 2.4.3 to scan mail
      >before it is accepted, and then reject it based on score or if it
      >matches certain rules after being marked as spam. I have this working
      >with spampd, but using the milter seems like it would be a little more
      >reliable, and I also want to also get clamav into the mix.
      >
      >After switching from spampd to spamass-milter, I noticed that it was
      >now bouncing messages instead of rejecting, so I promptly switched it
      >back.

      No, header_checks aren't applied to headers added by a milter.
      I suppose you have a content_filter and the bounces are caused by the
      after-filter postfix rejecting the mail.

      --
      Noel Jones
    • Marshal Newrock
      On Thu, 02 Aug 2007 00:22:32 -0500 ... Yes, there is a content_filter. I tried the milter again without the content filter, and it didn t look like the
      Message 2 of 4 , Aug 2, 2007
      • 0 Attachment
        On Thu, 02 Aug 2007 00:22:32 -0500
        Noel Jones <njones@...> wrote:

        > At 11:59 PM 8/1/2007, Marshal Newrock wrote:
        > >Is it possible to use header/body checks to reject mail after it goes
        > >through a milter?
        > >
        > >I am trying to use spamass-milter with postfix 2.4.3 to scan mail
        > >before it is accepted, and then reject it based on score or if it
        > >matches certain rules after being marked as spam. I have this
        > >working with spampd, but using the milter seems like it would be a
        > >little more reliable, and I also want to also get clamav into the
        > >mix.
        > >
        > >After switching from spampd to spamass-milter, I noticed that it was
        > >now bouncing messages instead of rejecting, so I promptly switched it
        > >back.
        >
        > No, header_checks aren't applied to headers added by a milter.
        > I suppose you have a content_filter and the bounces are caused by the
        > after-filter postfix rejecting the mail.

        Yes, there is a content_filter. I tried the milter again without the
        content filter, and it didn't look like the header/body checks were
        being run. A message with a score of 13 and which matched the BAYES_99
        rule was not rejected, and both of those are rules for rejection.

        With the current setup, mail on port 25 is not run through the
        before-queue filter. Mail on port 2525 is. This is because the mail
        server is part of a private network with a single public IP. It seemed
        easiest to redirect incoming mail from the outside to port 2525 for
        scanning, since internal mail doesn't get scanned.

        So I guess my question is if there is a way to use milters, after-queue
        content filters, and header/body checks together without bouncing
        mail? If not, what do I need to do in order to use header and body
        checks to reject mail after it has been scanned with the milter?

        postconf -n and smtpd entries from master.cf below:

        alias_database = hash:/etc/aliases
        alias_maps = hash:/etc/aliases
        biff = no
        body_checks = pcre:/usr/local/etc/postfix/Spamchecks/body_checks
        command_directory = /usr/local/sbin
        config_directory = /usr/local/etc/postfix
        daemon_directory = /usr/local/libexec/postfix
        debug_peer_level = 2
        default_privs = spamd
        error_notice_recipient = postmaster@XXXX
        header_checks = pcre:/usr/local/etc/postfix/Spamchecks/header_checks
        html_directory = no
        local_recipient_maps = $alias_maps $virtual_alias_maps
        $virtual_mailbox_maps mail_owner = postfix
        mailq_path = /usr/local/bin/mailq
        manpage_directory = /usr/local/man
        mime_header_checks =
        pcre:/usr/local/etc/postfix/Spamchecks/mime_header_checks
        mydestination = localhost, lists.XXXX
        myhostname = mail.XXXX
        mynetworks = 127.0.0.0/8 192.168.1.0/24 192.168.3.0/24
        192.168.4.0/24 192.168.5.0/24 192.168.10.0/24
        mynetworks_style = host
        myorigin = $mydomain
        newaliases_path = /usr/local/bin/newaliases
        notify_classes = 2bounce,resource,software
        queue_directory = /var/spool/postfix
        readme_directory = no
        recipient_bcc_maps = hash:/usr/local/etc/postfix/recipient_bcc
        recipient_delimiter = +
        sample_directory = /usr/local/etc/postfix
        sendmail_path = /usr/local/sbin/sendmail
        setgid_group = maildrop
        show_user_unknown_table_name = no
        smtpd_data_restrictions = reject_unauth_pipelining warn_if_reject
        reject_multi_recipient_bounce
        smtpd_hard_error_limit = 5
        smtpd_helo_required = yes
        smtpd_recipient_restrictions = reject_non_fqdn_sender warn_if_reject
        reject_non_fqdn_recipient reject_unknown_sender_domain warn_if_reject
        reject_unknown_recipient_domain reject_unlisted_recipient
        warn_if_reject reject_unlisted_sender permit_mynetworks
        reject_unauth_pipelining reject_unauth_destination
        check_recipient_access
        hash:/usr/local/etc/postfix/Spamchecks/allow_postmaster_receive
        check_client_access
        cidr:/usr/local/etc/postfix/Spamchecks/client_checks.cidr
        check_client_access
        pcre:/usr/local/etc/postfix/Spamchecks/client_checks.pcre
        check_helo_access
        hash:/usr/local/etc/postfix/Spamchecks/check_domain_spoof
        check_helo_access pcre:/usr/local/etc/postfix/Spamchecks/helo_checks
        check_sender_access
        pcre:/usr/local/etc/postfix/Spamchecks/sender_checks
        check_recipient_access
        pcre:/usr/local/etc/postfix/Spamchecks/recipient_checks
        check_sender_mx_access
        cidr:/usr/local/etc/postfix/Spamchecks/check_sender_mx.cidr
        reject_rbl_client sbl-xbl.spamhaus.org check_helo_access
        hash:/usr/local/etc/postfix/Spamchecks/common_forged_webmail_helo
        check_client_access
        pcre:/usr/local/etc/postfix/Spamchecks/greylist_clients
        smtpd_restriction_classes = common_forged_webmail, greylist
        smtpd_soft_error_limit = 3
        transport_maps = hash:/usr/local/etc/postfix/transport_maps
        unknown_local_recipient_reject_code = 550
        virtual_alias_maps =
        proxy:ldap:/usr/local/etc/postfix/virtual_aliases.ldap virtual_gid_maps
        = static:225 virtual_mailbox_base = /var/mail
        virtual_mailbox_domains = /usr/local/etc/postfix/virtual_domains
        virtual_mailbox_maps = ldap:/usr/local/etc/postfix/virtual_users.ldap
        virtual_uid_maps = static:225

        master.cf:
        smtp inet n - n - 20 smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o content_filter=filter:dummy

        :2525 inet n - n - 20 smtpd
        # -o milter_default_action=accept
        # -o smtpd_milters=unix:/var/run/spamass-milter.sock
        # -o content_filter=filter:dummy
        -o smtpd_proxy_filter=127.0.0.1:10024
        -o smtpd_proxy_timeout=280
        -o content_filter=
        -o smtpd_client_connection_count_limit=10

        # in-line content filter
        :10025 inet n - n - - smtpd
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=
        -o mynetworks=127.0.0.0/8,192.168.10.250
        -o receive_override_options=no_unknown_recipient_checks
        -o content_filter=filter:dummy

        filter unix - n n - - pipe
        user=filter argv=/usr/local/bin/filter.sh -f ${sender} --
        ${recipient}

        --
        Marshal Newrock
        Ideal Solution, LLC - http://www.idealso.com
      • Noel Jones
        ... Header_checks does not inspect headers added by milters in the same instance of postfix. You cannot use header_checks to reject mail based on milter-added
        Message 3 of 4 , Aug 3, 2007
        • 0 Attachment
          At 09:51 AM 8/2/2007, Marshal Newrock wrote:
          >If not, what do I need to do in order to use header and body
          >checks to reject mail after it has been scanned with the milter?

          Header_checks does not inspect headers added by milters in the same
          instance of postfix. You cannot use header_checks to reject mail
          based on milter-added headers.

          --
          Noel Jones
        Your message has been successfully submitted and would be delivered to recipients shortly.