Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
PCRE regex in header_checks ignored - why?
349 views
Skip to first unread message
Sebastian Wolfgarten
Jan 31, 2016, 5:56:50 AM1/31/16
to
Hi,
I have a problem with a PCRE-based rule in header_checks which seems to be ignored and I can’t understand why this is the case. Hopefully you guys have an idea on how to fix this :-)
So here is my setup: I am using Postfix 2.11.7 on FreeBSD 10 and as I am being bombarded with emails from certain hosts in France (and I have no idea why). These hosts are always following this format:
letter e
1-2 digit number
hostname
.fr
Here are some samples from today:
e16.sodipoc.fr
e38.info-essentiel.fr
e42.1jour1news.fr
I have defined a rule in SpamAssassin which successfully marks the related spam accordingly (works like a charm):
header French_Spam ALL =~ / e\d{1,2}\.\S+\.fr /i
score French_Spam 4.8
Now I am trying not to mark the unsolicited emails anymore but block them entirely. As such I have defined the following rule in header_checks based on the rule that I have defined in SpamAssassin:
/e\d{1,2}\.\S+\.fr/i REJECT French Spam
I reloaded Postfix (postmap is not necessary for PCRE files, or?) but still I have received three spam mails today. Still the rule seems okay from my perspective - here is a test of the rule with three hosts I have received spam from today:
$ postmap -q "e16.sodipoc.fr" pcre:/etc/postfix/header_checks
REJECT French Spam
$ postmap -q "e38.info-essentiel.fr" pcre:/etc/postfix/header_checks
REJECT French Spam
$ postmap -q "e42.1jour1news.fr" pcre:/etc/postfix/header_checks
REJECT French Spam
Any idea why this is happening?
Here an extract of the headers of one of the emails received today (note: The message was marked as spam by Postfix but I manually removed all the related headers and information not to end up in your spam filters):
Return-Path: <bou...@e42.1jour1news.fr>
Delivered-To: seba...@wolfgarten.com
Received: from waldfest (localhost [127.0.0.1])
by waldfest.wolfgarten.com (Postfix) with ESMTP id 4154D704B9
for <seba...@wolfgarten.com>; Sun, 31 Jan 2016 11:06:58 +0100 (CET)
X-Quarantine-ID: <xg91jhFD9UJP>
Received: from waldfest.wolfgarten.com ([127.0.0.1])
by waldfest (waldfest.wolfgarten.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id xg91jhFD9UJP for <seba...@wolfgarten.com>;
Sun, 31 Jan 2016 11:06:44 +0100 (CET)
X-Greylist: delayed 300 seconds by postgrey-1.36 at waldfest; Sun, 31 Jan 2016 11:06:44 CET
Received: from e42.1jour1news.fr (e42.1jour1news.fr [62.210.13.102])
by waldfest.wolfgarten.com (Postfix) with ESMTP id A6750704AC
for <seba...@wolfgarten.com>; Sun, 31 Jan 2016 11:06:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=e42.1jour1news.fr;
h=List-Unsubscribe:Message-ID:Date:Subject:From:Reply-To:To:MIME-Version:Content-Type; i=se...@e42.1jour1news.fr;
bh=zQj93n30egRyo2hFB5OnJZSylLw=;
b=FSLGriDlKRcl/NXBkxXU7ANj7JEO3+ltGllwY3hZu2bXxjJLXjFbz+fTZljB2BHbYMaKFmZxd6cF
6OhoV689FNZPqC1SBUt7rA2qMTRP0gqpuCGkMqTZ9KaSObrSNlZgCsxnsOuLWt7zrjF1OHL6jT8C
y0Nre8XUjO0vR+d2Jbs=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key; d=e42.1jour1news.fr;
b=Y4c0lfDPkQ4YaimLaY4exKzB9WpnZVLpQ+HP7976BIB5gFzWEIF+n9wYB7afXxThUNNWaomOHcJs
LxgAMqLl9nmkNLI6FRS0zn3cC/Pq8wUoUxdhyity3JWxiTo3q12ZP2/UxsYaOcWccB03Ch8VsB2u
9dhJQsHlnHCxcvj2Grs=;
List-Unsubscribe: <http://link.lilinews.fr/t/u/mT2NTvqG3IQSUL1gyO7Px8zP42vuolnECda87eT2bELfB63CFJolSx2R-d9wMmfhSsIzs-RQFBJ7mGmt1RffM79Wt7YeSHwsbbVWTpjRwEE>
Message-ID: <1454234504.tinkiwink...@link.lilinews.fr>
Date: Sun, 31 Jan 2016 11:01:44 +0100
Subject: =?UTF-8?Q?15=E2=82=AC?= offerts sur la nouvelle collection
Finally, here is Postfix config:
alias_maps = hash:/etc/aliases,mysql:/etc/postfix/mysql_virtual_alias_maps.cf
body_checks = pcre:/etc/postfix/body_checks,pcre:/etc/postfix/bad_urls
canonical_maps = regexp:/etc/postfix/rewrite
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 20
dovecot_destination_recipient_limit = 1
header_checks = pcre:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
local_destination_concurrency_limit = 2
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mlmmj_destination_recipient_limit = 1
mydestination = $myhostname, sms.wolfgarten.com
mydomain = wolfgarten.com
myhostname = waldfest.wolfgarten.com
mynetworks = ***REMOVED***
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = $smtpd_milters
propagate_unmatched_extensions = virtual
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/sender_access, check_client_access cidr:/etc/postfix/access-client, reject_rbl_client b.barracudacentral.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client dul.dnsbl.sorbs.net, check_policy_service inet:127.0.0.1:10023
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_non_fqdn_sender
soft_bounce = no
transport_maps = regexp:/etc/postfix/transport,hash:/var/spool/mlmmj/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual,hash:/var/spool/mlmmj/virtual,mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
Thank you.
Best regards
Sebastian
I have a problem with a PCRE-based rule in header_checks which seems to be ignored and I can’t understand why this is the case. Hopefully you guys have an idea on how to fix this :-)
So here is my setup: I am using Postfix 2.11.7 on FreeBSD 10 and as I am being bombarded with emails from certain hosts in France (and I have no idea why). These hosts are always following this format:
letter e
1-2 digit number
hostname
.fr
Here are some samples from today:
e16.sodipoc.fr
e38.info-essentiel.fr
e42.1jour1news.fr
I have defined a rule in SpamAssassin which successfully marks the related spam accordingly (works like a charm):
header French_Spam ALL =~ / e\d{1,2}\.\S+\.fr /i
score French_Spam 4.8
Now I am trying not to mark the unsolicited emails anymore but block them entirely. As such I have defined the following rule in header_checks based on the rule that I have defined in SpamAssassin:
/e\d{1,2}\.\S+\.fr/i REJECT French Spam
I reloaded Postfix (postmap is not necessary for PCRE files, or?) but still I have received three spam mails today. Still the rule seems okay from my perspective - here is a test of the rule with three hosts I have received spam from today:
$ postmap -q "e16.sodipoc.fr" pcre:/etc/postfix/header_checks
REJECT French Spam
$ postmap -q "e38.info-essentiel.fr" pcre:/etc/postfix/header_checks
REJECT French Spam
$ postmap -q "e42.1jour1news.fr" pcre:/etc/postfix/header_checks
REJECT French Spam
Any idea why this is happening?
Here an extract of the headers of one of the emails received today (note: The message was marked as spam by Postfix but I manually removed all the related headers and information not to end up in your spam filters):
Return-Path: <bou...@e42.1jour1news.fr>
Delivered-To: seba...@wolfgarten.com
Received: from waldfest (localhost [127.0.0.1])
by waldfest.wolfgarten.com (Postfix) with ESMTP id 4154D704B9
for <seba...@wolfgarten.com>; Sun, 31 Jan 2016 11:06:58 +0100 (CET)
X-Quarantine-ID: <xg91jhFD9UJP>
Received: from waldfest.wolfgarten.com ([127.0.0.1])
by waldfest (waldfest.wolfgarten.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id xg91jhFD9UJP for <seba...@wolfgarten.com>;
Sun, 31 Jan 2016 11:06:44 +0100 (CET)
X-Greylist: delayed 300 seconds by postgrey-1.36 at waldfest; Sun, 31 Jan 2016 11:06:44 CET
Received: from e42.1jour1news.fr (e42.1jour1news.fr [62.210.13.102])
by waldfest.wolfgarten.com (Postfix) with ESMTP id A6750704AC
for <seba...@wolfgarten.com>; Sun, 31 Jan 2016 11:06:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=e42.1jour1news.fr;
h=List-Unsubscribe:Message-ID:Date:Subject:From:Reply-To:To:MIME-Version:Content-Type; i=se...@e42.1jour1news.fr;
bh=zQj93n30egRyo2hFB5OnJZSylLw=;
b=FSLGriDlKRcl/NXBkxXU7ANj7JEO3+ltGllwY3hZu2bXxjJLXjFbz+fTZljB2BHbYMaKFmZxd6cF
6OhoV689FNZPqC1SBUt7rA2qMTRP0gqpuCGkMqTZ9KaSObrSNlZgCsxnsOuLWt7zrjF1OHL6jT8C
y0Nre8XUjO0vR+d2Jbs=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key; d=e42.1jour1news.fr;
b=Y4c0lfDPkQ4YaimLaY4exKzB9WpnZVLpQ+HP7976BIB5gFzWEIF+n9wYB7afXxThUNNWaomOHcJs
LxgAMqLl9nmkNLI6FRS0zn3cC/Pq8wUoUxdhyity3JWxiTo3q12ZP2/UxsYaOcWccB03Ch8VsB2u
9dhJQsHlnHCxcvj2Grs=;
List-Unsubscribe: <http://link.lilinews.fr/t/u/mT2NTvqG3IQSUL1gyO7Px8zP42vuolnECda87eT2bELfB63CFJolSx2R-d9wMmfhSsIzs-RQFBJ7mGmt1RffM79Wt7YeSHwsbbVWTpjRwEE>
Message-ID: <1454234504.tinkiwink...@link.lilinews.fr>
Date: Sun, 31 Jan 2016 11:01:44 +0100
Subject: =?UTF-8?Q?15=E2=82=AC?= offerts sur la nouvelle collection
Finally, here is Postfix config:
alias_maps = hash:/etc/aliases,mysql:/etc/postfix/mysql_virtual_alias_maps.cf
body_checks = pcre:/etc/postfix/body_checks,pcre:/etc/postfix/bad_urls
canonical_maps = regexp:/etc/postfix/rewrite
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 20
dovecot_destination_recipient_limit = 1
header_checks = pcre:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
local_destination_concurrency_limit = 2
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mlmmj_destination_recipient_limit = 1
mydestination = $myhostname, sms.wolfgarten.com
mydomain = wolfgarten.com
myhostname = waldfest.wolfgarten.com
mynetworks = ***REMOVED***
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = $smtpd_milters
propagate_unmatched_extensions = virtual
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/sender_access, check_client_access cidr:/etc/postfix/access-client, reject_rbl_client b.barracudacentral.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client dul.dnsbl.sorbs.net, check_policy_service inet:127.0.0.1:10023
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_non_fqdn_sender
soft_bounce = no
transport_maps = regexp:/etc/postfix/transport,hash:/var/spool/mlmmj/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual,hash:/var/spool/mlmmj/virtual,mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
Thank you.
Best regards
Sebastian
Sebastian Wolfgarten
Jan 31, 2016, 8:03:58 AM1/31/16
to
Hi Sebastian,
yes but this would require me to actually know all the hostnames upfront, i.e. I cannot use a PCRE regex if I am not mistaken, or?
Thanks.
Best regards
Sebastian
> Am 31.01.2016 um 12:52 schrieb Sebastian Nielsen <seba...@sebbe.eu>:
>
> I would suggest use check_sender_access intead of header checks. Then you can reject based on MAIL FROM:, since apparently the hosts are using their e**. hostname in MAIL FROM.
>
> -----Ursprungligt meddelande-----
> Från: owner-pos...@postfix.org [mailto:owner-pos...@postfix.org] För Sebastian Wolfgarten
> Skickat: den 31 januari 2016 11:56
> Till: postfi...@postfix.org
> Ämne: PCRE regex in header_checks ignored - why? [Invalid]
yes but this would require me to actually know all the hostnames upfront, i.e. I cannot use a PCRE regex if I am not mistaken, or?
Thanks.
Best regards
Sebastian
> Am 31.01.2016 um 12:52 schrieb Sebastian Nielsen <seba...@sebbe.eu>:
>
> I would suggest use check_sender_access intead of header checks. Then you can reject based on MAIL FROM:, since apparently the hosts are using their e**. hostname in MAIL FROM.
>
> -----Ursprungligt meddelande-----
> Från: owner-pos...@postfix.org [mailto:owner-pos...@postfix.org] För Sebastian Wolfgarten
> Skickat: den 31 januari 2016 11:56
> Till: postfi...@postfix.org
> Ämne: PCRE regex in header_checks ignored - why? [Invalid]
Wilfrie...@essignetz.de
Jan 31, 2016, 8:44:58 AM1/31/16
to
Hi,
do you use amavis in before or after queue mode?
If before, you should possibly look to your master.cf, to the lines
who get the mail from amavis back. Do you have somthing like
-o receive_override_options=no_header_body_checks
or
-o header_checks=
there ?
Willi
do you use amavis in before or after queue mode?
If before, you should possibly look to your master.cf, to the lines
who get the mail from amavis back. Do you have somthing like
-o receive_override_options=no_header_body_checks
or
-o header_checks=
there ?
Willi
0 new messages