# vi /etc/postfix/header_checks for Postfix

--

In main.cf:

header_checks = regexp:/etc/postfix/header_checks

header_checks = pcre:/etc/postfix/header_checks

      header_checks = pcre:/etc/postfix/header_checks        mime_header_checks = pcre:/etc/postfix/mime_header_checks              body_checks = pcre:/etc/postfix/body_checks

 vi /etc/postfix/header_checks

/^Subject:/ WARN

/^User-Agent:/ IGNORE

/^X-Mailer:/ IGNORE

/^X-Originating-IP:/ IGNORE

/^Received:.*with ESMTPSA/  IGNORE

# Sample For Dropping Headers:

/^X-Sanitizer:/ IGNORE

/^X-Spam-Status:/ IGNORE        # not show Spam Tag ]

/^X-Spam-Level:/ IGNORE

/^Received:/ IGNORE

/^Message-ID:/ IGNORE

/^X-MimeOLE:/ IGNORE

/^X-MSMail-Priority:/ IGNORE

---------------------------------------------------------------------------------------------

Redirect specific e-mail address sent to a user, to another user

• Sent from: user@isp.com

  • Addressesd to: user@ourcompany.com

Result: redirect e-mail to:  user2@ourcompany.com.

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

# vi sender_access

sender@otherdomain.com REDIRECT you@yourdomain.com

sender@otherdomain.com REDIRECT you@yourdomain.com | your2@secondomain.com

                           -----------------------

#cat main.cf .. header_checks = pcre:/etc/postfix/header_checks ..  #cat /etc/postfix/header_checks /From:.*@extdomain1.ltd/ REDIRECT specialuser@domain.ltd

------------------------------------

# Sample For Dropping Headers: #/^Header: IfContains/ IGNORE /^Received: from 127.0.0.1/ IGNORE /^User-Agent:/ IGNORE /^X-Mailer:/ IGNORE /^X-Originating-IP:/ IGNORE  # Sample For Dropping Headers: #/^Header: IfContains/ IGNORE /^X-Sanitizer:/ IGNORE /^X-Spam-Status:/ IGNORE /^X-Spam-Level:/ IGNORE  # Sample For Dropping Headers: #/^Header: IfContains/ IGNORE /^Received:/ IGNORE /^Message-ID:/ IGNORE /^X-MimeOLE:/ IGNORE /^X-MSMail-Priority:/ IGNORE  /^Received:.*with ESMTPSA/  IGNORE /^From:.*<#.*@.*>/ REJECT /^Return-Path:.*<#.*@.*>/ REJECT

/^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ IGNORE

/^Subject: .*f[ _\.\*\-]+r[ _\.\*\-]+e[ _\.\*\-]+e/ REJECT Hidden Word 1

/^Received:s+.*/ IGNORE    #To hide server IP address from headers:

/E-mail Storage Limit Exhausted/ REJECT /Your email account was recently logged into from another computer/    REJECT /Update Mail From Admin Server/                                         REJECT /Urgent Mail From Server/                                               REJECT /mailbox will be terminated after 24 hours/        REJECT /hot g!rl want you!/                           REJECT /Hi!/                                           REJECT /Your E-mail Account storage capacity is low/      REJECT /The part-time employment/                        REJECT /Rapid-Acting Supplement For Outstanding Results/  REJECT /Mail From Admin Server/                           REJECT /Urgent Mail From Server/                          REJECT /Your E-mail De-activation/                       REJECT #/invoice/                REJECT -----file attachment types not allowed [invoice] #/scan/                   REJECT -----file attachment types not allowed [scan]                           550 5.7.1 "file attachment types not allowed" . Please zip and resend.

/my new photo/                                          REJECT /Your mailbox is almost full/                      REJECT /account has been Blocked due to system error/     REJECT /mailbox will be terminated after 24 hours/        REJECT /Mailbox Will Be Suspended!/                       REJECT /Your Account Will Be Blocked!/                    REJECT /WILL LOSE YOUR EMAIL ADDRESS/                     REJECT /add more MB to your mailbox/           REJECT /Account will be Suspended soon/        REJECT /UPGRADE IS FREE OFF CHARGE/            REJECT /Validate Your Webmail Account/         REJECT /incoming important 'Message' blocked/   REJECT /Your account has been renewed/ REJECT /Minimum Top-up Deposit Now/     REJECT

/account has been Blocked due to system error/   REJECT

/mailbox will be terminated after 24 hours/          REJECT

/Your account has been renewed/                         DISCARD

/Your account has been hacked/ REDIRECT junkmail@abc.com

/You need to unlock/ REDIRECT junkmail@abc.com

/almost reached their disk quota/     REDIRECT  junkmail@abc.com

/Shutdown email account on/     REDIRECT  junkmail@abc.com

/Upgrade Email Quota/     REDIRECT  junkmail@abc.com

and in /etc/postfix/header_checks you write: 

Postfix: log message from, to and subject

 Append the below line in ‘/etc/postfix/header_checks’

/^Subject:/     WARN

/^From.*)user005@badspammerdomain.com/ DISCARD #spam Known spammer address

/^From.*)Tarot Reading/ DISCARD #spam rule No Tarot reading

/^From.*)someaccount@yahoo.com/ REDIRECTceo@domainexample.com #spam rule redirect all messages from this address

/^From.*)<(.*)@yahoo.com>(.*)/ REDIRECTmonitor@domainexample.com

/^To.*)<(.*)@yahoo.com>(.*)/ REDIRECTmonitor@domainexample.com

--------------------------------------------

/^From:(.*@)+(.*@)/ HOLD it looks like you are spam

D6CAE2811C34: hold: header From: "imanudin@imanudin.net" <spam@spam.xyz> from unknown[120.xxx.xxx.xx]; from=<spam@spam.xyz> to=<cilox@imanudin.com> proto=ESMTP helo=: it looks like you are spam Nov  1 23:45:45 myzimbra postfix/cleanup[17284]: D6CAE2811C34: message-id=<c8432028-4616-fcea-2280-699b7e22058e@spam.xyz>

Step:3 Restart the postfix server

#service postfix restart

#postmap /etc/postfix/header_checks

#  /^subject: *$/   REJECT   Please add subject Line to your mail.

 For global configuration /etc/spamassassin/local.cf and for user configuration ~/.spamassassin/user_prefs add:

score MISSING_SUBJECT          30

will block XXX word separated by spaces

/^Subject:.*\b(XXX)\b/  DISCARD

/^Subject:.*viagra/  DISCARD

If an email is sent to bob on my server, forward it bob’s real email address

/^To: bob@here.com/ REDIRECT bob@there.com

Mime Header Checks   : main.cf   mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks

/name=[^>]*\.(bat|com|exe|dll)/ REJECT  file attachment types not allowed

# These were once common in junk mail.

/^Subject: make money fast/     REJECT /^To: friend@public\.com/       REJECT

Body Filter Map

# First skip over base 64 encoded text to save CPU cycles. ~^[[:alnum:]+/]{60,}$~         OK # Put your own body patterns here.

-----------------------------------------------------------------------------------------------------------------

/etc/postfix/main.cf:     header_checks = pcre:/etc/postfix/header_checks.pcre /etc/postfix/header_checks.pcre:     /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(       ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|       hlp|ht[at]|       inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|       \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|       ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|       vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x         REJECT Attachment name "$2" may not end with ".$4"

Some very basic anit spam stuff

/^From: "spammer/ REJECT

/^From: "ipupiice@aderispharm.com/ REJECT

/^Subject:.*viagra/ DISCARD

/^Subject: .*Make Money Fast!/ REJECT

#attachments

/^(.*)name=\"(.*)\.(exe|lnk|dll|shs|vbe|hta|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|shm|pif|chm)\"$/ DISCARD

/^(.*)name=(.*)\.(exe|lnk|dll|eml|shs|vbe|hta|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|shm|pif|chm)$/ DISCARD

#cs some more good ones

/^Subject: \{Virus\?\}/                                                 REJECT Bogus antivirus warning (1)

/^Subject: Virus Detected by Network Associates, Inc\. Webshield/       REJECT Bogus antivirus warning (2)

/^Subject: ---- Virus Detected ----$/                                   REJECT Bogus antivirus warning (3)

/^Subject: Virus detected$/                                             REJECT Bogus antivirus warning (4)

/^Subject: Virus Alert$/                                                REJECT Bogus antivirus warning (5)

/^(To|From|Cc|Reply-To):.*@optonline/  REJECT Sorry, your message is probably spam

/^Subject: =?big5?/     REJECT Chinese encoding not accepted by this server

/^From:.*\@.*\.cn/      REJECT Sorry, Chinese mail not allowed here

http://www.t29.dk/antiantivirus.txt

Then you issue a "postfix reload".

Check and amend message size limit

postconf -n | grep message_size_limit

postconf -d would show the default

Set to 20MB

postconf -e 'message_size_limit = 20971520'

/etc/init.d/postfix restart

Remove error messages from the mailq

mailq | grep MAILER-DAEMON |  sed -e 's/!$//' | cut -d! -f 1 | postsuper -d -

Remove mail from a sender eg. double-bounces@example.com

mailq | grep double | cut -d" " -f1 | uniq > doubles

cat doubles

cat doubles | wc -l

postsuper -d - < doubles

Check the size of the mail queue:

mailq | tail -15

Display a message in a queue use

postcat <ID> | head -50

Remove all messages containing STRING

for MESSAGE in `grep -R STRING *|awk '{ print substr($3,1,12) }'`; do postsuper -d $MESSAGE; done

Remove all messages containing STRING (When there are subdirectories)

cd /var/spool/postfix/deferred/ [code]for MESSAGE in `grep -R STRING *|awk '{ print substr($3,3,12) }'`; do postsuper -d $MESSAGE; done

Flush queue

postfix flush

or postqueue -f

Re-queue all messages (ie requeue messages in all queues)

postsuper -r ALL

Remove all messages in deferred folder (/var/spool/postfix/deferred)

postsuper -d ALL deferred

Catching errors while changing postfix Chances are that configuration errors during implementation cause Postfix to bounce legitimate messages. Setting the soft_bounce parameter during integration and reloading the Postfix configuration afterwards prevents Postfix from bouncing legitimate mail during that time:

postconf -e "soft_bounce = yes"

postfix reload

As soon as soft_bounce has been activated Postfix will treat all delivery errors as temporary errors - any client that wants to send messages to Postfix will keep mail in the mailqueue and it will suspend delivery until the soft_bounce parameter has been removed or set to no. Once the integration of amavisd-new into the Postfix delivery process has been completed successfully soft_bounce must be removed or Postfix will not generate bounce messages for legitimate mail.

## Putting messages on hold and releasing ##

Put messages on hold that meet search criteria

mailq |grep "user@domain" |awk '{print $1}'|sed 's/\!//' > t for MESSAGE in `cat t`; do postsuper -h $MESSAGE; done]

Put all messages over 2Mb on hold:

cd /var/spool/postfix/active

for MESSAGE in  `find ./ -type f -size +2000k|awk '{ print substr($1,3,12) }'`; do postsuper -h $MESSAGE; done

Release messages on hold that match a criteria

mailq |grep "user@domain" |grep "\!" |awk '{print $1}'|sed 's/\!//' > t for MESSAGE in `cat t`; do postsuper -H $MESSAGE; done

Check the sizes of the queues:

du -sh /var/spool/postfix/*

Check the amount of inbound messages ie by sending domain in the active queue:

qshape -s active (leaving out -s when you want to check by recpient)

Some tuning options (turning off scanning with amavis):

# Amavis support

# content_filter=amavisfeed:[127.0.0.1]:10024

header_checks = regexp:/etc/postfix/header_checks

data_directory = /var/lib/postfix

# cs Performance tuning

smtpd_error_sleep_time = 0

default_process_limit = 200

maximal_backoff_time = 6000

queue_run_delay = 900

minimal_backoff_time = 600

#disable_dns_lookups = yes

EExtract messages form the log file for a user: [code] cat maillog |grep "Mar 4" |grep -v "127.0.0.1" |grep -i "to="|awk '{print $6}'|tee - |egrep -f - maillog|grep -v "127.0.0.1" |grep -v "removed"[/code] Convert maildir to mbox format [code]#!/bin/bash for file in `find /home/user/{current.mdir,new.mbox}/ -type f` do cat $file | formail >> mbox done[/code] This will grab the mdir directory at /home/user/ and convert it to an mbox file at /home/user/new.mbox Squirrelmail Preferances http://www.squirrelmail.org/docs/admin/admin-5.html

/^Subject: .*Make Money Fast!/ Header Filter Searches for the string Make Money Fast! in the Subject line. /name=[^>]*\.(bat|com|exe|dll)/ MIME-Header Filter This will match all messages that have attachments whose files end in .bat, .com, .exe or .dll. /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ Body Filter Body pattern to stop a specific HTML browser vulnerability exploit. /^From: joe@example.com/ Header Filter Matches all messages sent by joe@example.com. /^From: .*@example.com/ Header Filter Matches all messages sent from the example.com domain.

---

# header_checks = pcre:/etc/postfix/header_checks.pcre

# Noel Jones

/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/           REJECT ".com" file attachment types not allowed

/^Content-(Disposition|Type):\s+.*?message\/partial\b/                                       REJECT 

/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|copy|Invoice|scan|document|screensaver|movie)\.zip/ REJECT

/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|ace|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed

# *Any* zip file: just log a warning...

/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN

          ---------------------------------------------------------------------

/name=[^>]*\.(bat|com|exe)/ REJECT

/^Subject: .*f[ _\.\*\-]+r[ _\.\*\-]+e[ _\.\*\-]+e/ REJECT Hidden Word 1

/^Subject:(.*)fuck|(.*)viagra/ REJECT Dont Bother Sending Rubbish Emails

/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ REJECT ".com" file attachment types not allowed

/^Content-(Disposition|Type):\s+.*?message\/partial\b/   REJECT

/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|EU|bill|copy|Invoice|scan|screensaver|movie)\.zip/ REJECT

/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|app|as[dpx]|ace|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed

# *Any* zip file: just log a warning...

/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/    WARN

               ---------------X------------------

F

  ---- --------------------------------------------------------------------

## 

/service@gtnexus\.com/ FILTER  smtp:[127.0.0.1]:10025

---------------XXXXXXXXXXXXX____________________________________________________________________________________

https://jimsun.linxnet.com/misc/header_checks.txt

Install

# yum -y install pcre-devel pcre

--------------------

# header_checks = pcre:/etc/postfix/header_checks.pcre

# NAME

#        header_checks - Postfix built-in content inspection

#

# SYNOPSIS

#        header_checks = pcre:/etc/postfix/header_checks

#        mime_header_checks = pcre:/etc/postfix/mime_header_checks

#        nested_header_checks = pcre:/etc/postfix/nested_header_checks

#        body_checks = pcre:/etc/postfix/body_checks

#

#        postmap -q "string" pcre:/etc/postfix/filename

#        postmap -q - pcre:/etc/postfix/filename <inputfile

#

#

#        /etc/postfix/main.cf:

#            header_checks = pcre:/etc/postfix/header_checks.pcre

#

#        /etc/postfix/header_checks.pcre:

#            /^Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(

#              ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|

#              hlp|ht[at]|

#              inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|

#              \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|

#              ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|

#              vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x

#                REJECT Attachment name "$2" may not end with ".$4"

#

#        Body pattern to stop a specific HTML browser vulnerability

#        exploit.

#

#        /etc/postfix/main.cf:

#            body_checks = regexp:/etc/postfix/body_checks

#

#        /etc/postfix/body_checks:

#            /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/

#                REJECT IFRAME vulnerability exploit

#

# SEE ALSO  # # Generic M$ email-borne worm/trojan/virus protection # # M$-Windoze vulnerable to all these as email-borne viruses/worms/trojans # Added .ade, .adp, .bas, .cpl, .crt, .hlp, .inf, .ins, .isp, .lnk, .mdb, # .mde, .msc, .msi, .msp, .mst, .pcd, .reg, .sct, .shs, .url, .vb, and .wsc # due to: # http://support.microsoft.com/support/kb/articles/q262/6/31.asp?LN=EN-US&SD=gn&FR=0 # (As of 2003-08-24, this URL appears dead.  Thank you, M$) # Noel Jones supplied the following two informative URLS: #  http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 #  http://www.cknow.com/vtutor/vtextensions.htm # For .shs vulnerability, see: http://www.pc-help.org/security/scrap.htm # v2 list: (bat|chm|cmd|com|exe|hta|jse?|pif|scr|sh[bs]|vb[esx]|ws[fh]) # v3 list: Added .asd, .dll, .ocx, .vxd as per Perry E. Metzger # <perry-at-piermont-dot-com> # v4 list: Added .386, .asp, .asx, .bin, .cab, .cgi, .cil, .cpe, .cvp, .eml, # .ex_, .inp, .jar, .keyreg, .mda, .mdw, .mp3, .nte, .nws, .pl, .pm, .pot, # .pps, .slb, .swf, .swt, .sys, .vir, .vmx, .wmd, .wms, .wmz, .xlw, .xms # as per Tim Boyer (tim@denmantire.com) # v5 list: As per "manatworkyes moderator" <devekboy@hotmail.com> # in firewall-wizards mailing list on Wed Jan 29 10:31:32 2003, # added: .htr # v6 list: Missed the following in the M$ bulletin: .app, .csh, .fxp, .ksh, # .mdt, .ops, .prg.  If .ksh and .csh belong, so does .sh - added. # v7 list: added .dot, extension for M$ Office templates could possibly # contain harmful macros. # v8 list: added .adt, .btm, .cbt, .cla(ss)?, .cs[cs], .drv, .email, .fon, # .ini, .lib, .mht(m|ml)?, .mso, .obj, .ov., .pgm, .smm.  Expanded .xlw to # .xl.  (Ref: http://www.cknow.com/vtutor/vtextensions.htm) # (.doc, .html?, .ppt, .prc, .rtf not added, but probably should be.) # ("Source" [.asm, .c, .cpp., .pas, .for] seem unlikely to me) # v9 list: added CLSIDs (e.g.: "name.{FBF23B40-E3F0-101B-8488-00AA003E56F8}") # (Complements of Victor Duchovni and Noel Jones) # v10 list: added .cbl # /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed # ".com" handled differently as above lines would catch attachments like # "user@example.com PGP Keys.txt" # "(\.\S{2,4})?(\?=)?"?(;|$)" terminator idea (modified) compliments of # Noel Jones /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ REJECT ".com" file attachment types not allowed # Disallow message fragmentation, as it will bypass the other tests # Ref: http://www.securiteam.com/securitynews/5YP0A0K8CM.html /^Content-(Disposition|Type):\s+.*?message\/partial\b/ REJECT  # Specific virus/worm/trojan attachments that we cannot block by file # type/extension (yet?) # # Sobig.E: your_details|application|document|screensaver|movie #  /^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/ REJECT  # *Any* zip file: just log a warning... /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN