Header -> amavis quarantine

Dominic Raferd dominic at timedicer.co.uk
Sat Feb 10 19:20:26 CET 2018 

On 9 February 2018 at 17:56, Markus Clardy <markus at clardy.eu> wrote:
> On Fri, Feb 9, 2018 at 5:41 PM, Dominic Raferd <dominic at timedicer.co.uk>
> wrote:
>>
>> On 9 February 2018 at 16:59, Markus Clardy <markus at clardy.eu> wrote:
>> > On Fri, Feb 9, 2018 at 4:23 PM, Dominic Raferd <dominic at timedicer.co.uk>
>> > wrote:
>> >>
>> >> Is there a way to have the presence of a specific header (or, better,
>> >> a specific beginning to a header, where the later text might vary)
>> >> causing quarantining by amavis. Use case is that postfix header_checks
>> >> will identify a suspect mail and add the header before the mail is
>> >> passed to amavis.
>> >>
>> >> Example header which should lead to amavis quarantining the mail:
>> >>
>> >> X-Hold: mydomain.tld; Withheld by order of check_header.pcre (.world
>> >> domain)
>> >>
>> >> I feel sure amavis is powerful enough to do this but the plethora of
>> >> options, and the perl terminology, leave me baffled. Thanks for any
>> >> help.
>> >>
>> > What you can do is have a port/policy in Amavisd for Quarantining
>> > everything, then just instead of adding a header in Postfix, have the
>> > mail
>> > redirect to that port.
>> >
>> > This way, mail that is meant to be held as designated by Postfix, will
>> > go to
>> > the quarantine that way.
>> >
>>
>> Thanks Marcus but I want amavis to continue doing its own stuff as
>> normal as well as quarantining these extra mails. Also it sounds
>> complicated to resubmit mails via a different port but it is very easy
>> to add a header using the postfix PREPEND option.
> Not that hard actually.
>
> Your create a new port for Amavisd:
>
> $inet_socket_port = [10024, 10030]
>
> Then create a Policy for it:
>
> $interface_policy{'10030'} = 'Quarantine.Postfix';
> $policy_bank{'Quarantine.Postfix'} = {
>     archive_quarantine_to_maps = > ['archive-quarantine'];
>     archive_quarantine_method => 'local:hold-%m',
>     final_destiny_maps_by_ccat => { REPLACE = 1, &CC_CATCHALL => D_DISCARD
> },
>     forward_method => 'smtp:[127.0.0.1]:10024'
> };
>
>
> After that, in your header checks, you would have the header check cause
> "FILTER smtp-amavis:[127.0.0.1]:10030" instead of "PREPEND X-Hold: ....".
>
> This will mean that any mail submitted on port 10030 of Amavisd gets
> quarantined (and will appear as hold-UniqID in your quarantine (UniqID being
> the Amavisd ID), and anything submitted on your normal port (assumed 10024
> in this case), will get scanned as normal.
>
> This is just an example, and you could do more with it if you'd like, such
> as separating different reasons to be quarantined.
>
>
> To my knowledge, Amavis doesn't have an automatic quarantine header list.
>
>
>
> The other option would be to add a large score in SpamAssassin if this
> header is found. That would also cause the mail to get quarantined, but may
> not appear necessarily the same way you are looking for it to appear in the
> quarantine (it'll get marked as Spam).
>

I've implemented your second suggestion with a couple of lines in
/etc/spamassassin/local.cf thus:

header LOCAL_SUSPECT_HEADER X-Hold =~ /mydomain\.tld; suspect/
score LOCAL_SUSPECT_HEADER 9

and entries in my postfix access tables like this:

world PREPEND X-Hold: mydomain.tld; suspect sender (.world)

and it is working perfectly. Thanks for your help.

More information about the amavis-users mailing list