postfix header_checks pcre wird ignoriert?

04/05/2016 - 15:28 von Ulli Horlacher | Report spam
Nach http://www.postfix.org/header_checks.5.html sollte das funktionieren:

root@tandem:/etc/postfix# grep header_checks main.cf
header_checks = pcre:/etc/postfix/header_checks.pcre

root@tandem:/etc/postfix# cat header_checks.pcre
/^Subject: Emailing: scan/
REJECT Virus Subject


Allerdings wird nach postfix neustart eine Testmail von aussen mit Subject
"Emailing: scanxxx" weiterhin akzeptiert.
In /var/log/mail.log steht:

2016-05-04 15:11:37 connect from mx3.rus.uni-stuttgart.de[129.69.192.3]
2016-05-04 15:11:37 NOQUEUE: client=mx3.rus.uni-stuttgart.de[129.69.192.3]
2016-05-04 15:11:37 connect from localhost[127.0.0.1]
2016-05-04 15:11:37 E7C2C203E6: client=localhost[127.0.0.1], orig_client=mx3.rus.uni-stuttgart.de[129.69.192.3]
2016-05-04 15:11:37 E7C2C203E6: message-id=<20160504131130.GA25188@rus.uni-stuttgart.de>
2016-05-04 15:11:38 E7C2C203E6: from=<framstag@rus.uni-stuttgart.de>, size47, nrcpt=1 (queue active)
2016-05-04 15:11:38 disconnect from localhost[127.0.0.1]
2016-05-04 15:11:38 (03112-05) Passed CLEAN {RelayedOpenRelay}, [129.69.192.3]:54072 [129.69.13.139] <framstag@rus.uni-stuttgart.de> -> <framstag@flupp.org>, Message-ID: <20160504131130.GA25188@rus.uni-stuttgart.de>, mail_id: BWF6E6tZR6mg, Hits: -, size: 1301, queued_as: E7C2C203E6, 186 ms
2016-05-04 15:11:38 proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E7C2C203E6; from=<framstag@rus.uni-stuttgart.de> to=<framstag@flupp.org> proto=ESMTP helo=<mx3.rus.uni-stuttgart.de>
2016-05-04 15:11:38 disconnect from mx3.rus.uni-stuttgart.de[129.69.192.3]
2016-05-04 15:11:38 E7C2C203E6: to=<framstag@tandem-fahren.de>, orig_to=<framstag@flupp.org>, relay=local, delay=0.4, delays=0.14/0.01/0/0.25, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
2016-05-04 15:11:38 E7C2C203E6: removed


Die sollte doch nun abgewiesen werden?

+ Ulli Horlacher + framstag@tandem-fahren.de + http://tandem-fahren.de/ +
 

Lesen sie die antworten

#1 Juergen P. Meier
05/05/2016 - 06:23 | Warnen spam
Ulli Horlacher :
Nach http://www.postfix.org/header_checks.5.html sollte das funktionieren:

:/etc/postfix# grep header_checks main.cf
header_checks = pcre:/etc/postfix/header_checks.pcre



Was sagen:

postconf header_checks receive_override_options
postconf -m

:/etc/postfix# cat header_checks.pcre
/^Subject: Emailing: scan/
REJECT Virus Subject



Sollte passen.

Allerdings wird nach postfix neustart eine Testmail von aussen mit Subject
"Emailing: scanxxx" weiterhin akzeptiert.
In /var/log/mail.log steht:

2016-05-04 15:11:37 connect from mx3.rus.uni-stuttgart.de[129.69.192.3]
2016-05-04 15:11:37 NOQUEUE: client=mx3.rus.uni-stuttgart.de[129.69.192.3]



Kein Queuing? Externer Content-Filter?

2016-05-04 15:11:37 connect from localhost[127.0.0.1]



Externer Content-Filter.

2016-05-04 15:11:37 E7C2C203E6: client=localhost[127.0.0.1], orig_client=mx3.rus.uni-stuttgart.de[129.69.192.3]
2016-05-04 15:11:37 E7C2C203E6: message-id=
2016-05-04 15:11:38 E7C2C203E6: from=, size47, nrcpt=1 (queue active)

2016-05-04 15:11:38 disconnect from localhost[127.0.0.1]

2016-05-04 15:11:38 (03112-05) Passed CLEAN {RelayedOpenRelay}, [129.69.192.3]:54072 [129.69.13.139] -> , Message-ID: , mail_id: BWF6E6tZR6mg, Hits: -, size: 1301, queued_as: E7C2C203E6, 186 ms
2016-05-04 15:11:38 proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E7C2C203E6; from= to= proto=ESMTP helo=<mx3.rus.uni-stuttgart.de>
2016-05-04 15:11:38 disconnect from mx3.rus.uni-stuttgart.de[129.69.192.3]
2016-05-04 15:11:38 E7C2C203E6: to=, orig_to=, relay=local, delay=0.4, delays=0.14/0.01/0/0.25, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
2016-05-04 15:11:38 E7C2C203E6: removed

Die sollte doch nun abgewiesen werden?



Das ist kein normaler Mailflow. Insbesondere fehlt dir die cleanup:=Zeile.
(http://www.postfix.org/BUILTIN_FILTER_README.html), Header-Checks
werden von cleanup durchgefuehrt.

Wie sehen denn deine master.cf (alle aktiven Services) aus und was sagt
postconf content_filter no_header_body_checks

Mir scheint du schiesst dir selbst ins Knie: dein Header-Check sollte
wenn im externen Content-Scanner passieren.

Juergen
Juergen P. Meier - "This World is about to be Destroyed!"
end
If you think technology can solve your problems you don't understand
technology and you don't understand your problems. (Bruce Schneier)

Ähnliche fragen