Capabilities
Dusan Obradovic via amavis-users
amavis-users at amavis.org
Wed May 28 10:07:02 CEST 2014
On May 22, 2014, at 4:29 AM, Gregory Sloop via amavis-users wrote:
> However, we can't just block every .zip file for example. Some zips from some senders are legit.
> Further, I don't want to block mail without generating a bounce reply. [An alternative would be rejecting it before accept at the MTA]
> But generating a bounce for blocked attachments will cause a host of back-scatter.
To reject mail at SMTP time, you can use Postfix before-queue content filtering, http://www.postfix.org/SMTPD_PROXY_README.html
Working master.cf example:
# To override one or more main.cf options, specify them as arguments
# below, preceding each option by "-o". There must be no whitespace
# in the option itself (separate multiple values for an option by
# commas).
#
# In order to use the "uucp" message tranport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=10
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_authorized_xclient_hosts=127.0.0.0/8
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
post-cleanup unix n - n - 0 cleanup -o virtual_maps=
#
#=====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
#=====================================================================
# Pre-filtering
#=====================================================================
mailprefilter unix - n n - - pipe user=filter argv=/usr/sbin/mailprefilter
--
-s ${sender}
-r ${recipient}
-u ${sasl_username}
-c ${client_address}
#=====================================================================
# Global antivirus/antispam pre-filter (Amavis)
#=====================================================================
smtp-amavis unix - - n - 5 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
# SMTP interface for injecting mail into Amavis
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
-o cleanup_service_name=post-cleanup
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
#=====================================================================
# Mail re-injection (after pre-filtering)
#=====================================================================
127.0.0.1:10026 inet n - n - - smtpd
-o content_filter=
-o cleanup_service_name=post-cleanup
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
#=====================================================================
# Mail policy
#=====================================================================
# mailpolicy unix - n n - - spawn user=filter argv=/usr/sbin/kolab_smtpdpolicy
#=====================================================================
# Post-filtering
#=====================================================================
mailpostfilter unix - n n - - pipe user=filter argv=/usr/sbin/mailpostfilter
--
-s ${sender}
-r ${recipient}
-c ${client_address}
#=====================================================================
# Mail delivery via LMTP/Dspam
#=====================================================================
127.0.0.1:10027 inet n - n - - smtpd -o content_filter=lmtp:unix:/var/lib/dspam/dspam.sock
More information about the amavis-users
mailing list