postfix 檢查檔頭header_checks

這也是postfix老掉牙的阻擋廣告信方式, 偶爾可以用一下,

大家都知道postfix 可以檢查檔頭header_checks, 然後阻擋

在 /etc/postfix/main.cf 設定一下即可啟用功能

header_checks = regexp:/etc/postfix/header_checks

接下來修改規則檔案 /etc/postfix/header_checks, 設定要阻擋的字串,

這裡比較有趣的是, 如何定位字串? 總共有兩個地方要注意的:

1.是”.”與”*” 後面加上要定位的字串 , 再加上”/” , 代表搜尋多個相同的字串,

例如 /^Subject:.*AV/ DISCARD

找出所有標題是AV的字串

2.中文需要考慮UTF-8, GBK, BIG5,然後進行Base64編碼

例如要定位”警告”這個字串, 有可能是utf8 , gbk, big5 三個

/^Subject:.*6K2m5ZGK/ DISCARD
/^Subject:.*vq+45g==/ DISCARD
/^Subject:.*xLWnaQ==/ DISCARD

編碼服務可參考
https://www.base64encode.org

 

postfix郵件加上postgrey灰名單功能, 可擋下大部分廣告

postfix郵件加上postgrey灰名單功能很簡單 , 步驟如下:

1. 安裝postgrey

CentOS 可於rpmfind.net找尋相對應的RPM版本安裝

Ubuntu 18.04 可直接安裝不用另外下載

sudo apt install postgrey

2. 找出啟動script的OPTIONS選項, 加上自動白名單功能, 與延遲120秒

centos 6:

vi /etc/rc.d/init.d/postgrey

—————————————————

OPTIONS=”–unix=$SOCKET –auto-whitelist-clients=5 –delay=120″

—————————————————

centos 7:

vi /var/lib/systemd/system/postgrey or

vi /usr/lib/systemd/system/postgrey.service

—————————————————

ExecStart=…

–auto-whitelist-clients=5

—————————————————

執行時候會長這樣

/usr/sbin/postgrey -d –unix=/var/spool/postfix/postgrey/socket –auto-whitelist-clients=5 –delay=120

3. 修改postfix的main.cf檔案, 加上check_policy_service unix:postgrey/socket

Centos:   vi /etc/postfix/main.cf

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
check_sender_access hash:/etc/postfix/sender_vip,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
check_policy_service unix:postgrey/socket

4. 產生報表

cat /var/log/maillog | postgreyreport  --nosingle_line --check_sender=mx,a --show_tries  --separate_by_subnet=":=================================================================\n"

2018/06/12 後記

這種作法經過實做, 不建議使用, 原因很簡單, 就是延遲的問題, 收個信會延遲, 這是非常麻煩的

雖然可以自動加入白名單, 但是有些不常聯絡, 一聯絡就要馬上收的狀況大有人在,

除非IT人員在公司很強大, 否則不要用這種方式

postfix+dovecot+sasl+activate direcotory (centos 6)

1. vi /etc/dovecot/conf.d/10-auth.conf
uncommand the following setting
#!include auth-ldap.conf.ext
as
!include auth-ldap.conf.ext

2.  vi  /etc/dovecot/conf.d/auth-ldap.conf.ext
auth_username_format = %Lu

passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf.ext

}

userdb static {
args = uid=501 gid=501 home=/home/vmail/%u
}
3. vi /etc/dovecot/dovecot-ldap.conf.ext
hosts = ad_server_ip
base = dc=test,dc=com,dc=tw
ldap_version = 3
auth_bind = yes
ldap_version = 3
auth_bind_userdn = test%u
pass_filter = (&(objectclass=person)(uid=%u))

ps. uid and gid must the same with postfix  and directory in linux server
ex: create one user “vmail”
user id is 501 , gid is 501

4. postfix’s main.cf
virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail/
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:501
virtual_gid_maps = static:501
virtual_alias_maps = hash:/etc/aliases,ldap:/etc/postfix/ldap-aliases-inner.cf
#smtp auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
#additional param
message_size_limit = 40960000
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
bounce_queue_lifetime = 1d
maximal_queue_lifetime = 1d
data_directory = /var/db/postfix
header_checks = regexp:/etc/postfix/header_checks
smtp_host_lookup = native, dns

5. vi /etc/postfix/ldap-users.cf
server_host = ad_server_ip
search_base = dc=test,dc=com,dc=tw
version = 3
query_filter = (&(objectclass=*)(mail=%s))
result_attribute = samaccountname #Account from DC
result_format = %s/Maildir/
bind = yes
bind_dn = cn=ldap,cn=Users,dc=test,dc=com,dc=tw
bind_pw = ldappassword

6. vi //etc/sysconfig/saslauthd
# Directory in which to place saslauthd’s listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords. Run “saslauthd -v” to get a list
# of which mechanism your installation was compiled with the ablity to use.
#MECH=pam
MECH=ldap

# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=”-O /etc/postfix/saslauthd.conf -c -r”

7. vi /etc/postfix/saslauthd.conf
ldap_servers: ldap://ad_server_ip:389/
ldap_search_base: dc=test,dc=com,dc=tw
ldap_auth_method: bind
ldap_version: 3
ldap_bind_dn: cn=ldap,cn=Users,dc=test,dc=com,dc=tw
ldap_bind_pw: ldappassword
ldap_filter: (sAMAccountName=%u)

8. vi /etc/postfix/ldap-aliases-inner.cf
server_host = ad_server_ip
search_base = dc=test,dc=com,dc=tw
#scope = sub
query_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=%s,OU=aliases_inner,DC=test,DC=com,DC=tw)
result_attribute = mail
result_format = %s
version = 3
bind = yes
bind_dn = cn=ldap,cn=Users,dc=test,dc=com,dc=tw
bind_pw = ldappassword


			
		
1 ... 4 5 6