pcre

------------

Email Header and Body Checks with Postfix SMTP Server

Postfix provides 4 simple content checking parameters.

• • header_checks

  • mime_header_checks

  • nested_header_checks

  • body_checks

Postfix will check all inbound emails when any of the above parameters is being used. Each parameter points to a lookup table containing regular expression patterns and actions. The patterns are compared to strings within email messages (header and body). If Postfix finds a match, the specified action is executed. Header and body checks are done by the Postfix cleanup daemon.

There are mainly two types of regular expressions that can be used by Postfix.

• • regexp: POSIX regular expression

  • PCRE: Perl compatible regular expression

Postfix comes with POSIX regular expression support, but PCRE is way faster. To use PCRE in Postfix, you need to install the postfix-pcre package.

yum -y install postfix-pcre

Run the following command and you will see pcre is now supported.

postconf -m

Header Checks

To enable header_checks in Postfix, open the main configuration file.

vi /etc/postfix/main.cf

Add the following line at the end of the file.

header_checks = pcre:/etc/postfix/header_checks

Save and close the file. Then you need to create the /etc/postfix/header_checks lookup file with a command line text editor such as Nano.

vi /etc/postfix/header_checks

You can add regular expression checking like below.

/free mortgage quote/     REJECT /repair your credit/      REJECT

The lefthand key is a regular expression enclosed by two forward slashes. If any of the strings on the leftland appear in any of the headers of an email message (these would most likely show up in the Subject: header), the message is rejected during the SMTP dialog. By default regular expression checking is not case-sensitive.

You can also use DISCARD, instead of REJECT.

/free mortgage quote/    DISCARD /repair your credit/     DISCARD

This will cause Postfix to claim successful delivery and silently discard the message. DISCARD makes it look as if the message was delivered even though it was simply thrown away. I often use DISCARD when I don’t want the spammer to know I have blocked a certain phrase for incoming email. DISCARD can also be useful to minimize the backscatter problem. If an innocent user’s email address is used as the sender address, you can claim successful delivery, so that the innocent user does not receive bounce messages.

Some stupid spammers use multiple email addresses in the To: header, instead of using Blind Carbon Copy (BCC). If you are sure an email address won’t be accepting emails with multiple recipients in the To: header, you can add the following lines to discard such email.

/To:.*(gmail.com|yahoo.com|outlook|hotmail.com).*you@yourdomain.com/       DISCARD /To:.*you@yourdomain.com.*(gmail.com|yahoo.com|outlook|hotmail.com)/       DISCARD

The above lines will check if an Gmail/Yahoo/Outlook/Hotmail address and your domain email address are in the To: header at the same time. If true, the email will be discarded. The two characters .* are a wild card in regular expressions that can be matched to any characters.

Some spammers use blank email address in the From: or To: header, you can add the following checks.

/To:.*<>/           DISCARD /From:.*<>/         DISCARD

Once you finish editing the header_checks lookup file, you need to build the index file.

postmap /etc/postfix/header_checks

Then restart Postfix for the changes to take effect.

systemctl restart postfix

Body Checks

In addition to header checks, Postfix can check the body of an email message. To enable body_checks in Postfix, open the main configuration file.

vi /etc/postfix/main.cf

Add the following line at the end of the file.

body_checks = pcre:/etc/postfix/body_checks

Save and close the file. Then you need to create the /etc/postfix/body_checks lookup file.

vi /etc/postfix/body_checks

You can add regular expression checking like below.

/free mortgage quote/     REJECT /repair your credit/      REJECT

You can use DISCARD, instead REJECT.

/free mortgage quote/     DISCARD /repair your credit/      DISCARD

The patterns indicated by the body_checks parameter are checked against each line of the body of the message. If any of the strings on the leftland appear in the body of an email message, the message is rejected or discarded. Once you finish editing the body_checks lookup file, you need to build the index file.

postmap /etc/postfix/body_checks

Then restart Postfix for the changes to take effect.

systemctl restart postfix

 Append the below line in ‘/etc/postfix/header_checks’

/^Subject:/     WARN

/^User-Agent:/    IGNORE

/^From:.*<#.*@.*>/ REJECT

/^Return-Path:.*<#.*@.*>/ REJECT

/^Received: from 127.0.0.1/  IGNORE

body_checks = pcre:/etc/postfix/body_checks.pcre

# vi body_checks.pcre

# First skip over base 64 encoded text to save CPU cycles.

# Requires PCRE version 3.

~^[[:alnum:]+/]{60,}$~          OK

# Put your own body patterns here.

/Viagra/ REJECT

/pron/ REJECT

/sex/ REJECT

/free money/ REJECT

/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT

-----------