Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_proxy_filter by size

Expand Messages
  • Terry Carmen
    ... http://cnysupport.com/download/pfshu/ This should help. It tags the message with a SpamAssassin-style X-ActualMessageSize=****** string, with each *
    Message 1 of 7 , Dec 2, 2007
    • 0 Attachment
      C. Vorwerk wrote:
      >
      > Before writing my own pipe filters, checking the size (and i don't
      > know how to do this for the proxy filter), i would like to know
      > whether there is an option i might use or someone who already set
      > something like this up.
      >
      >
      http://cnysupport.com/download/pfshu/

      This should help. It tags the message with a SpamAssassin-style
      X-ActualMessageSize=****** string, with each * indicating 1MB.

      You could easily change the scaling factor (MB_PER_ASTERISK) if you need
      something different.

      Terry
    • Noel Jones
      It s not possible to select a proxy based on some message property. Postfix must open the proxy *first*, before any message property is known. Perhaps you can
      Message 2 of 7 , Dec 2, 2007
      • 0 Attachment
        It's not possible to select a proxy based on some message property.

        Postfix must open the proxy *first*, before any message property is known.

        Perhaps you can configure your proxy to stop scanning (just pass transparently) after some byte limit.

        --
        Noel Jones

        -----Original Message-----
        From: "C. Vorwerk" <list-user@...>
        To: postfix-users@...
        Sent: 12/2/07 10:59 AM
        Subject: smtpd_proxy_filter by size

        Hallo,

        i just about to move from exim to postfix. Though i liked exim, i missed
        some capabilities needed for cyrus back end.

        Now i setup an test system with smtpd_proxy_filter clamsmtp for denying
        virus and phishing mails before complete accepting it. I know about the
        problem of getting to much load on the system caused by to much virus
        checks, but i don't' like handling viruses for my users making
        quarantens or else.
        To limit this Problem, i would like to limit the checking to mails with
        a size of about 500kb by the smtpd_proxy_filter and check mails above
        this to about 10mb again in a content_filter. I already set this up. But
        i didn't find a way for the limit handled by postfix. I know, i can set
        up two instances of clamavd and set at least the upper limit. The
        problem of the lower is still there (and therefor an unneeded double
        check) and the usage of doubling the system resources by calmavd (two
        instances).

        Before writing my own pipe filters, checking the size (and i don't know
        how to do this for the proxy filter), i would like to know whether there
        is an option i might use or someone who already set something like this up.

        Thanks in advance!

        Here my master.conf:

        127.0.0.1:10025 inet n - n - 16 smtpd
        -o content_filter=smtp-clamavfilter:[127.0.0.1]:10026
        -o smtpd_proxy_filter=
        -o receive_override_options=no_address_mappings
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_delay_reject=no
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

        smtp-clamavfilter unix - - n - 16 smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no
        -o disable_dns_lookups=yes

        127.0.0.1:10027 inet n - n - 16 smtpd
        -o content_filter=
        -o smtpd_proxy_filter=
        -o
        receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_delay_reject=no
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
      • C. Vorwerk
        ... Well, i could start two instances of clamavd with different config files. There you can configure the max size of a file to scan. this would lead to more
        Message 3 of 7 , Dec 3, 2007
        • 0 Attachment
          Noel Jones schrieb:
          > It's not possible to select a proxy based on some message property.
          >
          > Postfix must open the proxy *first*, before any message property is known.
          >
          > Perhaps you can configure your proxy to stop scanning (just pass transparently) after some byte limit.
          >


          Well, i could start two instances of clamavd with different config
          files. There you can configure the max size of a file to scan. this
          would lead to more used resources which i don't want.

          I understand now why postfix can't help. Do you know another way for my
          problem?
        • Noel Jones
          ... I don t think there is a good solution to your goal of scanning mail up to some size pre-queue and scan the rest post-queue. Running two clamd daemons and
          Message 4 of 7 , Dec 3, 2007
          • 0 Attachment
            C. Vorwerk wrote:
            > Noel Jones schrieb:
            >> It's not possible to select a proxy based on some message property.
            >> Postfix must open the proxy *first*, before any message property is
            >> known.
            >>
            >> Perhaps you can configure your proxy to stop scanning (just pass
            >> transparently) after some byte limit.
            >>
            >
            >
            > Well, i could start two instances of clamavd with different config
            > files. There you can configure the max size of a file to scan. this
            > would lead to more used resources which i don't want.
            >
            > I understand now why postfix can't help. Do you know another way for my
            > problem?

            I don't think there is a good solution to your goal of
            scanning mail up to some size pre-queue and scan the rest
            post-queue.

            Running two clamd daemons and routing mail to the second one
            as a post-queue content_filter is the only way I can think of.
            While resource usage probably wouldn't be terrible, it is
            rather complex and awkward. This also requires some bit of
            glue so postfix can select a FILTER based on the size of the
            message. The SA plugin is one way, another way is a policy
            service that either uses PREPEND to add a X-Size: header or
            just returns a FILTER command itself.

            more info here might help:
            http://www.postfix.org/SMTPD_POLICY_README.html
            http://www.postfix.org/addon.html#policy

            --
            Noel Jones
          • C. Vorwerk
            ... I don t know so much about good. There are probably many opinions about how to implement in a good way. I d like to hear some. I talkt to the clamsmtp
            Message 5 of 7 , Dec 4, 2007
            • 0 Attachment
              Noel Jones schrieb:

              > I don't think there is a good solution to your goal of scanning mail up
              > to some size pre-queue and scan the rest post-queue.
              >
              I don't know so much about good. There are probably many opinions about
              how to implement in a good way. I'd like to hear some.

              I talkt to the clamsmtp mailing list. They said, that i might implement
              this feature without many changes, just checking the size of the mail
              after it recives it.
              I will try that the next weeks.

              > Running two clamd daemons and routing mail to the second one as a
              > post-queue content_filter is the only way I can think of. While
              > resource usage probably wouldn't be terrible, it is rather complex and
              > awkward. This also requires some bit of glue so postfix can select a
              > FILTER based on the size of the message. The SA plugin is one way,
              > another way is a policy service that either uses PREPEND to add a
              > X-Size: header or just returns a FILTER command itself.
              >
              > more info here might help:
              > http://www.postfix.org/SMTPD_POLICY_README.html
              > http://www.postfix.org/addon.html#policy
              >

              You are probably right about the resources in a large scale. As a
              hosting service provider i would not wory about it either even with
              onlinescanning 10 Mb mails. But when you are small and need to calculate
              sharply about the costs, every Mb of your RAM is wourth a fortune even
              it is cheap on the market.
              By the way, i don't like the idea to run services twice without any
              need. It complicates the configuration.

              I will try to patch the clamsmtp with an max size and maybe an min size
              option. Alternativly it writes an special trustworthy header with a salt
              which can be identified by postix for further mappings.

              Maybe you might explain to me why i get the feeling that you don't like
              the idea of my configuration. I am open to other / better ideas.

              Greets
            • Noel Jones
              ... Does clamsmtp save the incoming mail to a temp file and then scan it before passing it to the next hop? (surely it doesn t try to cache it in memory...)
              Message 6 of 7 , Dec 4, 2007
              • 0 Attachment
                C. Vorwerk wrote:
                > Noel Jones schrieb:
                >
                >> I don't think there is a good solution to your goal of scanning mail
                >> up to some size pre-queue and scan the rest post-queue.
                >>
                > I don't know so much about good. There are probably many opinions about
                > how to implement in a good way. I'd like to hear some.
                >
                > I talkt to the clamsmtp mailing list. They said, that i might implement
                > this feature without many changes, just checking the size of the mail
                > after it recives it.
                > I will try that the next weeks.

                Does clamsmtp save the incoming mail to a temp file and then
                scan it before passing it to the next hop? (surely it doesn't
                try to cache it in memory...)

                If so, you could have clamsmtp either pass the mail or just
                add some X-header that you use as a trigger for post-queue
                scanning.

                AFAIK, this is the only way this could work cleanly. And yet
                you would still risk timeout issues on large mails or messages
                that take a long time to scan for some reason.

                >
                >> Running two clamd daemons and routing mail to the second one as a
                >> post-queue content_filter is the only way I can think of. While
                >> resource usage probably wouldn't be terrible, it is rather complex and
                >> awkward. This also requires some bit of glue so postfix can select a
                >> FILTER based on the size of the message. The SA plugin is one way,
                >> another way is a policy service that either uses PREPEND to add a
                >> X-Size: header or just returns a FILTER command itself.
                >>
                >> more info here might help:
                >> http://www.postfix.org/SMTPD_POLICY_README.html
                >> http://www.postfix.org/addon.html#policy
                >>
                >
                > You are probably right about the resources in a large scale. As a
                > hosting service provider i would not wory about it either even with
                > onlinescanning 10 Mb mails. But when you are small and need to calculate
                > sharply about the costs, every Mb of your RAM is wourth a fortune even
                > it is cheap on the market.
                > By the way, i don't like the idea to run services twice without any
                > need. It complicates the configuration.
                >
                > I will try to patch the clamsmtp with an max size and maybe an min size
                > option. Alternativly it writes an special trustworthy header with a salt
                > which can be identified by postix for further mappings.

                If you add a header that the file wasn't scanned and needs
                further processing, the trust factor is far less of an issue.

                >
                > Maybe you might explain to me why i get the feeling that you don't like
                > the idea of my configuration. I am open to other / better ideas.
                >

                The idea is fine. I just don't see any reasonable way to
                accomplish it with available tools.

                If I've left anything significant out, be assured that someone
                else will jump in here...

                Good luck.

                --
                Noel Jones
              Your message has been successfully submitted and would be delivered to recipients shortly.