This is a little trick for Postfix, it lets you log the subject
, from
and
to
of all the emails postfix sends (or which pass through it if you run it as
a relay). It comes in handy when you need to debug an email issue and need to
confirm your mailserver has sent the message.
First create the file /etc/postfix/header_checks
and insert this into it:
/^subject:/ WARN
/^to:/ WARN
/^from:/ WARN
/^Subject:/ WARN
/^To:/ WARN
/^From:/ WARN
Now, in your postfix /etc/postfix/main.cf
add the following to the end of the
file:
header_checks = regexp:/etc/postfix/header_checks
And restart postfix:
service postfix restart
You will hopefully now get log items.
More header_checks examples:
Header pattern to block attachments with bad file name extensions. For convenience, the PCRE /x flag is specified, so that there is no need to collapse the pattern into a single line of text. The purpose of the [[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.
/etc/postfix/main.cf: header_checks = pcre:/etc/postfix/header_checks.pcre /etc/postfix/header_checks.pcre: /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)( ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe| hlp|ht[at]| inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws| \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}| ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf| vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$4"
Body pattern to stop a specific HTML browser vulnerability exploit.
/etc/postfix/main.cf: body_checks = regexp:/etc/postfix/body_checks /etc/postfix/body_checks: /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ REJECT IFRAME vulnerability exploit
How to stop a specific header exploit
master.cf
header_checks = pcre:/etc/postfix/header_checks
/etc/postfix/header_checks
/^Delivered-To: .*/
REJECT Header Exploit
In the file header_checks we can add our regular expressions. For example to block Chinese encoding you would have the following line:
/^Subject: =?big5?/ REJECT Chinese encoding not accepted by this server
Here is the contents of my header_checks file:
/^Received:/ HOLD
/^Subject: =?big5?/ REJECT Chinese encoding not accepted by this server
/^Subject: =?EUC-KR?/ REJECT Korean encoding not allowed by this server
/^Subject: ADV:/ REJECT Advertisements not accepted by this server
/^Subject: =?Windows-1251?/ REJECT Russian encoding not allowed by this server
/^Subject: =\?KOI8-R\?/ REJECT Russian encoding not allowed by this server
/^Subject:.*=\?(big5|euc-kr|gb2312|ks_c_5601-1987)\?/ REJECT Language not accepted by this server as it is probably spam
/[^[:print:]]{8}/ REJECT Sorry, ascii characters only permitted by this server
/^From:.*\@.*\.cn/ REJECT Sorry, Chinese mail not allowed here
/^From:.*\@.*\.kr/ REJECT Sorry, Korean mail not allowed here
/^From:.*\@.*\.tr/ REJECT Sorry, Turkish mail not allowed here
/^From:.*\@.*\.ru/ REJECT Sorry, Russian mail not allowed here
/^From:.*\@.*\.ro/ REJECT Sorry, Romanian mail not allowed here
/^(Received|Message-Id|X-(Mailer|Sender)):.*\b(AutoMail|E-Broadcaster|Emailer Platinum|Thunder Server|eMarksman|Extractor|e-Merge|from stealth[^.]|Global Messenger|GroupMaster|Mailcast|MailKing|Match10|MassE-Mail|massmail\.pl|News Breaker|Powermailer|Quick Shot|Ready Aim Fire|WindoZ|WorldMerge|Yourdora|Lite)\b/ REJECT No mass mailers allowed. You are probably sending spam
/^X-Mailer:.*\b(Aristotle|Avalanche|Blaster|Bomber|DejaVu|eMerge|Extractor|UltraMail|Sonic|Floodgate|GeoList|Mach10|MegaPro|Aureate|MultiMailer|Bluecom|Achi-Kochi Mail|Direct Email|Andrew's SuperCool Blastoise|MailerGear|Advanced Mass Sender|SpireMail|MailWorkZ|UltimDBMail|Mabry|Lite)\b/ REJECT No mass mailers allowed. You are probably sending spam.
/^(To|From|Cc|Reply-To):.*@optonline/ REJECT Sorry, your message is probably spam
The REJECT in the above example means that your Postfix will send a rejection message with the message Chinese encoding not accepted by this server to the originating MTA. If you would rather reject them outright without sending a non delivery report change REJECT to DISCARD.
More. Example file: ‘/etc/postfix/header_checks’
/^From:.*Casino/ REJECT Casino spam detected in headers. Your message was marked as spam. #Rule 1 /^Subject:.*naked/ REJECT Explicit content detected in headers. Your message was marked as spam. #Rule 2
Simple method to block email messages by content (body)
regexp:/etc/postfix/body_checks
Example file: ‘/etc/postfix/body_checks’
/mdaemon/ REJECT Your email client is used for spam. #Rule 1 /cialis/ REJECT Email messages with drugs are not allowed. #Rule 2 /casino/ REJECT Email messages regarding casino are not allowed. #Rule 3 /search engine registration/ REJECT Nigga. I dont need your fake services. #Rule 4 /thecreativelogos.com/ REJECT Invaders must die #Rule 5
After file creation, you must run ‘postmap filename’ and reload postfix.
postmap /etc/postfix/body_checks
postmap /etc/postfix/header_checks