pcre
------------
Email Header and Body Checks with Postfix SMTP Server
Postfix provides 4 simple content checking parameters.
header_checks
mime_header_checks
nested_header_checks
body_checks
Postfix will check all inbound emails when any of the above parameters is being used. Each parameter points to a lookup table containing regular expression patterns and actions. The patterns are compared to strings within email messages (header and body). If Postfix finds a match, the specified action is executed. Header and body checks are done by the Postfix cleanup daemon.
There are mainly two types of regular expressions that can be used by Postfix.
regexp: POSIX regular expression
PCRE: Perl compatible regular expression
Postfix comes with POSIX regular expression support, but PCRE is way faster. To use PCRE in Postfix, you need to install the postfix-pcre package.
yum -y install postfix-pcre
Run the following command and you will see pcre is now supported.
postconf -m
Header Checks
To enable header_checks in Postfix, open the main configuration file.
vi /etc/postfix/main.cf
Add the following line at the end of the file.
header_checks = pcre:/etc/postfix/header_checks
Save and close the file. Then you need to create the /etc/postfix/header_checks lookup file with a command line text editor such as Nano.
vi /etc/postfix/header_checks
You can add regular expression checking like below.
/free mortgage quote/ REJECT /repair your credit/ REJECT
The lefthand key is a regular expression enclosed by two forward slashes. If any of the strings on the leftland appear in any of the headers of an email message (these would most likely show up in the Subject: header), the message is rejected during the SMTP dialog. By default regular expression checking is not case-sensitive.
You can also use DISCARD, instead of REJECT.
/free mortgage quote/ DISCARD /repair your credit/ DISCARD
This will cause Postfix to claim successful delivery and silently discard the message. DISCARD makes it look as if the message was delivered even though it was simply thrown away. I often use DISCARD when I don’t want the spammer to know I have blocked a certain phrase for incoming email. DISCARD can also be useful to minimize the backscatter problem. If an innocent user’s email address is used as the sender address, you can claim successful delivery, so that the innocent user does not receive bounce messages.
Some stupid spammers use multiple email addresses in the To: header, instead of using Blind Carbon Copy (BCC). If you are sure an email address won’t be accepting emails with multiple recipients in the To: header, you can add the following lines to discard such email.
/To:.*(gmail.com|yahoo.com|outlook|hotmail.com).*you@yourdomain.com/ DISCARD /To:.*you@yourdomain.com.*(gmail.com|yahoo.com|outlook|hotmail.com)/ DISCARD
The above lines will check if an Gmail/Yahoo/Outlook/Hotmail address and your domain email address are in the To: header at the same time. If true, the email will be discarded. The two characters .* are a wild card in regular expressions that can be matched to any characters.
Some spammers use blank email address in the From: or To: header, you can add the following checks.
/To:.*<>/ DISCARD /From:.*<>/ DISCARD
Once you finish editing the header_checks lookup file, you need to build the index file.
postmap /etc/postfix/header_checks
Then restart Postfix for the changes to take effect.
systemctl restart postfix
Body Checks
In addition to header checks, Postfix can check the body of an email message. To enable body_checks in Postfix, open the main configuration file.
vi /etc/postfix/main.cf
Add the following line at the end of the file.
body_checks = pcre:/etc/postfix/body_checks
Save and close the file. Then you need to create the /etc/postfix/body_checks lookup file.
vi /etc/postfix/body_checks
You can add regular expression checking like below.
/free mortgage quote/ REJECT /repair your credit/ REJECT
You can use DISCARD, instead REJECT.
/free mortgage quote/ DISCARD /repair your credit/ DISCARD
The patterns indicated by the body_checks parameter are checked against each line of the body of the message. If any of the strings on the leftland appear in the body of an email message, the message is rejected or discarded. Once you finish editing the body_checks lookup file, you need to build the index file.
postmap /etc/postfix/body_checks
Then restart Postfix for the changes to take effect.
systemctl restart postfix
Append the below line in ‘/etc/postfix/header_checks’
/^Subject:/ WARN
/^User-Agent:/ IGNORE
/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT
/^Received: from 127.0.0.1/ IGNORE
body_checks = pcre:/etc/postfix/body_checks.pcre
# vi body_checks.pcre
# First skip over base 64 encoded text to save CPU cycles.
# Requires PCRE version 3.
~^[[:alnum:]+/]{60,}$~ OK
# Put your own body patterns here.
/Viagra/ REJECT
/pron/ REJECT
/sex/ REJECT
/free money/ REJECT
/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT
-----------