RE: [Postfixbuch-users] Mailheader verändern - LÖSUNG

Marcel Hartmann mail at marcel-hartmann.com
Do Jun 2 13:06:48 CEST 2005


Hallo Thomas,

> > Danke für Deine Bemühungen mit den header_checks.
> > Ich habe auch diese variante ausprobiert und bei mir sieht 
> der Header
> > immernoch so aus:
> > 
> > [...]
> >
> > kann es sein, das man die Datei /etc/postfix/Header_Checks mit chmod
> > bearbeiten muss vorher?
> > Das der Postfix darauf auch zugreifen kann? evtl. chown
> > postmaster:postmaster /etc/postfix/header_checks; ?
> 
> möglich, halte ich aber für unwahrscheinlich, da ich es auch 
> nciht gebraucht
> habe.
> Wie sieht denn Deine /etc/postfix/master.cf aus.
> Kann mir jetzt nur noch vorstellen, dass da, falls Du amavisd-new oder
> ähnliches laufen hast, die header_checks für die letzte 
> Ausführung des smtpd
> deaktiviert sind.
> 
> Den Tabulator zwischen der RegExp und dem IGNORE hast Du aber 
> schon gesetzt
> (und KEIN Lehrzeichen etc noch dazwischen?)
> Du hast das auch nicht evtl. per Cut'n'Paste aus meiner Mail 
> rauskopiert?

Hehe, Nein. Ich habe alles fein beachtet! ;-)
Hier nun meine configs:

1. master.cf
smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o
smtpd_etrn_restrictions=reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
#tlsmgr   fifo  -       -       n       300     1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags= user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m
${extension} ${user}
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient

# amavis smtp listener
smtp-amavis unix - - n - 2 smtp
  -o smtp_data_done_timeout=1200
  -o disable_dns_lookups=yes
  -o smtp_send_xforward_command=yes

# postfix auf port 10025 fuer amavis laufen lassen
127.0.0.1:10025 inet n - n - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks
  -o smtp_send_xforward_command=yes


2. main.cf
Auszug:
# ergänzungen für virtual aliass maps
virtual_alias_maps = hash:/etc/postfix/virtual,
mysql:/etc/postfix/mysql-virtual.cf

# rewriting der outgoing mails, hier werden die konten test0001 in user.name
at virtualdomain.tld umgeschrieben
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf

# SMTP Authentication with SASL and PAM
smtpd_sasl_auth_enable = yes

# dns rbls !! Spam wird gar nicht erst angenommen und durchsucht!
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_rbl_client        ix.dnsbl.manitu.net
        reject_rbl_client        cbl.abuseat.org
        reject_rbl_client        sbl-xbl.spamhaus.org
        reject_rbl_client        list.dsbl.org
        reject_rbl_client        relays.ordb.org
        reject_rbl_client        opm.blitzed.org
        reject_rbl_client        dnsbl.njabl.org
        permit

# aussortieren von gefährlichen Dateiendungen
# mime checks fuer anhaenge mit exe etc. diese werden geblockt
mime_header_checks=pcre:/etc/postfix/body_checks

# HeaderCkecks um den Mailheader etwas zu verändern, die amavis10024 und
10025
# Dinge sollen raus aus dem Header
header_checks = pcre:/etc/postfix/header_checks

# mailserver welche mailssenden wollen ohne ehlo werden abgelehnt
smtpd_helo_required = yes

# alle user müssen sich anmelden bevor sie mails senden dürfen
smtpd_sasl_security_options = noanonymous

# wegen der virtuellen domains wird keine hauptdomain angegeben
smtpd_sasl_local_domain =

# falls etwas schief läuft bei der anmeldung bricht er dann nicht ab
broken_sasl_auth_clients = yes

# quota für outgoing smtp und inbox
# quota 40 und 250 MB
message_size_limit = 40480000
mailbox_size_limit = 256000000

# tls support ssl
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# content filter amavisd-new mit seinen tools
content_filter = smtp-amavis:[127.0.0.1]:10024

3. /etc/postfix/header_checks
/^Received: from.*(127\.0\.0\.1|localhost)/     IGNORE

4. amavisd.conf auszug:
$max_servers = 2;            # number of pre-forked children (2..15 is
common)
$daemon_user  = "amavis";     # (no default;  customary: vscan or amavis)
$daemon_group = "amavis";     # (no default;  customary: vscan or amavis)

$mydomain = 'snitch.de';   # a convenient default for other settings

$MYHOME = "/var/amavis";
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to be created
manually
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR
$QUARANTINEDIR = "/var/virusmails";
$db_home   = "$MYHOME/db";
@local_domains_maps = ( [".$mydomain"] );
$log_level = 0;              # verbosity 0..5
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 0;              # log via syslogd (preferred)
$SYSLOG_LEVEL = 'mail.critical';
$LOGFILE = "/var/log/amavis.log";
$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and
nanny)
$enable_global_cache = 1; 
$inet_socket_port = 10024; 
$sa_tag_level_deflt  = 3.0;  # add spam info headers if at, or above that
level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.3; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is
larger
$sa_local_tests_only = 0;    # only tests which do not require internet
access?
$sa_auto_whitelist = 1;  
$virus_admin               = undef; # "virusalert\@$mydomain";  #
notifications recip.

$mailfrom_notify_admin     = undef; # "virusalert\@$mydomain";  #
notifications sender
$mailfrom_notify_recip     = undef; # "virusalert\@$mydomain";  #
notifications sender
$mailfrom_notify_spamadmin = undef; # "spam\@$mydomain"; # notifications
sender

$mailfrom_to_quarantine = ''; # null return path; uses original sender if
undef

@addr_extension_virus_maps      = ('virus');
@addr_extension_spam_maps       = ('spam');
@addr_extension_banned_maps     = ('banned');
@addr_extension_bad_header_maps = ('badh');
$MAXLEVELS = 14;
$MAXFILES = 1500;
#$MIN_EXPANSION_QUOTA =      100*1024;  # bytes  (default undef, not
enforced)
#$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes  (default undef, not
enforced)
$MIN_EXPANSION_QUOTA = undef;
$MAX_EXPANSION_QUOTA = undef;


$sa_spam_subject_tag = '***SPAM*** ';
$defang_virus  = 0;  # MIME-wrap passed infected mail
$defang_banned = 1;  # MIME-wrap passed mail containing banned name


# OTHER MORE COMMON SETTINGS (defaults may suffice):

$myhostname = 'mailrelay.snitch.de';  # must be a fully-qualified domain
name!

$notify_method  = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with milter!

$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_BOUNCE;
$final_spam_destiny       = D_PASS;
$final_bad_header_destiny = D_PASS;

config mit Antivir als Primary und Clamd als secondyra Scanner, und
spamassasin natürlich ;)

Gruß,

Marcel Hartmann





Mehr Informationen über die Mailingliste Postfixbuch-users