checks
-------
Email header checks.
1. To start with, we will first create a custom header check file, that will contain our headers that we want to ignore:
$ touch /opt/zimbra/conf/custom_header_checks
2. Once the file is created, we are going to add it to the zimbra configuration:
$ zmprov mcf zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks pcre:/opt/zimbra/conf/custom_header_checks' $ zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
Confirm the new header check file is picked up by zimbra:
$ postconf | grep header_checks
3. The next step would be to populate the file with data. Below is an example of this file with various headers:
/^Subject:/ WARN
/X-Virus-Scanned/ IGNORE /^Received: from 127.0.0.1/ IGNORE /^X-Originating-IP:/ IGNORE /^X-Mailer:/ IGNORE /^Mime-Version:/ IGNORE /^User-Agent:/ IGNORE /^X-Sanitizer:/ IGNORE /^X-Spam-Status:/ IGNORE /^X-Spam-Level:/ IGNORE /^Message-ID:/ IGNORE /^X-MimeOLE:/ IGNORE /^X-MSMail-Priority:/ IGNORE /^Received:/ IGNORE
The above headers are just an example. You can use any of these headers to hide sensitive information based on your needs. But beware that some MX servers will automatically mark such emails passing through as spam. Furthermore, removing all the above information will make troubleshooting very difficult. Choose which headers you would like to remove, and perform tests before implementing that on a production system.
4. Once you finish editing the file, restart MTA to complete the setup:
$ zmmtactl restart
Block Email Spoofing by Display Name
su - zimbra vi /opt/zimbra/conf/from_checks
/^From:(.*@)+(.*@)/ HOLD it looks like you are spam
Note : If you receive email that having @ in the display name, email will be hold and you will getting information “it looks like you are spam” in the log. You can change HOLD with another method like DISCARD or REJECT.
Run the following command to add header check and restart postfix
# zmprov ms `zmhostname` zimbraMtaHeaderChecks "pcre:/opt/zimbra/conf/postfix_header_checks,pcre:/opt/zimbra/conf/from_checks" # zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE # postfix reload
he following is an example email log that use @ in the display name
D6CAE2811C34: hold: header From: "imanudin@imanudin.net" <spam@spam.xyz> from unknown[120.xxx.xxx.xx]; from=<spam@spam.xyz> to=<cilox@imanudin.com> proto=ESMTP helo=: it looks like you are spam Nov 1 23:45:45 myzimbra postfix/cleanup[17284]: D6CAE2811C34: message-id=<c8432028-4616-fcea-2280-699b7e22058e@spam.xyz>
Exmaple in mailq
[zimbra@myzimbra ~]$ mailq -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- D6CAE2811C34! 626 Thu Nov 1 23:45:45 spam@spam.xyz cilox@imanudin.com -- 1 Kbytes in 1 Requests.
First, look at the postfix_header_checks in Zimbra's localconfig.
zmlocalconfig | grep header_checks Most likely you will see the following: postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks
Now, lets create our own header_checks file. Note: For this wiki, I am going to create a "custom_header_checks" file, but you can create your own file.
touch /opt/zimbra/conf/custom_header_checks zmlocalconfig -e postfix_header_checks="pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks" zmmtactl restart zmlocalconfig | grep postfix_header_checks You should see: postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks
Don't forget to use postconf to make sure the changes are picked up.
postconf | grep header_checks
If the header_checks are not picked up from the postconf command, run the following command.
zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE zmmtactl restart
Section III - Editing your custom header checks file
Editing your /opt/zimbra/conf/custom_header_checks is fairly straight forward, just use your favorite editor, i.e vi, nano, emacs.
No need to run postmap against the /opt/zimbra/conf/custom_header_checks
Section IV - Header checks syntax by example
In the interest of brevity and simplicity, I am only going provide a few examples. Honestly, I've only scratched the surface of this feature.
/^Subject:(.*)From U.S. Ambassador to Nigeria/ DISCARD #spam rule no msgs from Nigeria /^Subject:(.*)\?KOI8-R\?/ DISCARD #spam rule Russian encoding not allowed by this server /^Subject:.*Bad Word*/ REPLACE Subject: Censored /^From:(.*)Slice-O-Matic Reviews/ DISCARD #spam rule No slice o-matics /^From:(.*)Your Free iPad/ DISCARD #spam rule No thank you /^From:(.*)user005@badspammerdomain.com/ DISCARD #spam Known spammer address /^From:(.*)Tarot Reading/ DISCARD #spam rule No Tarot reading /^From:(.*)someaccount@yahoo.com/ REDIRECT ceo@domainexample.com #spam rule redirect all messages from this address /^From:(.*)<(.*)@yahoo.com>(.*)/ REDIRECT monitor@domainexample.com /^To:(.*)<(.*)@yahoo.com>(.*)/ REDIRECT monitor@domainexample.com /^To:(.*)*@example.com/ FILTER smtp:mail.anothercompany.au /^To:(.*)*@myprivatecompany.local/ FILTER smtp:192.168.1.25 /^Cc:(.*)everybody@domain.com/ . DISCARD # Drop any messages that are CC'd to a specific address /^To:(.*)somebody@example.com/ BCC manger@domainexample.com #BCC to the manager <<== This feature is available in Postfix 3.0 and later /^Received: from .+\..+\.mydomain\.com .+(by mail\.mydomain\.com .+) / REPLACE Received: $1 /^Received: from mac7\.local/ IGNORE /^Received: from .*\.local/ IGNORE /^Received:.*\[192\.168\.0\.[0-9]/ IGNORE /^Received:.*\[192\.168\.99\.254/ IGNORE # Hide my internal IP /^Received:/ IGNORE # Hide my internal IP
Section V - FAQ's
Question: I want to implement header_checks of my own, will Zimbra Support officially support custom header_checks?
Answer: No. However, you are free to add your own header_checks.
Question: I noticed Zimbra uses /opt/zimbra/conf/postfix_header_checks.in, can I edit this file?
Answer: I would suggest if you are wanting to use your own header_checks, keep your header_checks files separate; header_checks for Zimbra, and your own custom header_checks file.
Question: I noticed you are using "DISCARD" in your examples, why are you not using "REJECT"?
Answer: Because using "DISCARD" means the MTA will delete the message; which is what I want given the regexp syntax. The "REJECT" notation will let senders know that their message was rejected, and the MTA refused to deliver their message.
Question: I've added a header_check rule, but it's not working, what do I do?
Answer: Postfix does a good job notating why a specific header_check rule didn't work. Check the /var/log/zimbra.log file.
grep warning /var/log/zimbra.log
Question: Should I do the changes as root or zimbra user?
Answer: zimbra
Question: I noticed in your examples you are using #spam rule, why?
Answer: Easy grepping of the /var/log/zimbra.log file.
grep "spam rule" /var/log/zimbra.log
Question: Are there any examples on the Internet?
Answer: Yes. Just search for "header_checks by example"
Section VI - ZCS 8.5, 8.6, 8.7, 8.8
If you are using ZCS-8.5, 8.6, or 8.7, update the zimbraMtaHeaderChecks setting, instead of updating the local config by running zmlocalconfig.
zmprov mcf zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks pcre:/opt/zimbra/conf/custom_header_checks' zmmtactl restart
Section VII - Body Checks
By default, Zimbra does not touch the MTA body_checks feature. However, updating the zmconfigd.cf and localconfig should make postfix start using the body_checks setting. See, https://bugzilla.zimbra.com/show_bug.cgi?id=103124.
If you want to implement the MTA's body_checks feature, you can do the following.
Note: This is for versions for 8.5, 8.6, 8.7, 8.8
Add the following to the /opt/zimbra/conf/zmconfigd.cf file (right below delay_warning_time, and above header_checks) POSTCONF body_checks LOCAL postfix_body_checks Then update zimbra's localconfig... zmlocalconfig -e postfix_body_checks="pcre:/opt/zimbra/conf/custom_body_checks" touch /opt/zimbra/conf/custom_body_checks Restart the MTA to pick up the changes. zmmtactl stop zmmtactl start Then check it... postconf | grep "^body_checks =" body_checks = pcre:/opt/zimbra/conf/custom_body_checks <<== Should see this line
-------