2

I just can't seem to figure out why header_checks are not being evaluated.

I add following line to /etc/postfix/main.cf:

header_checks = pcre:/etc/postfix/header_checks.pcre

And here is header_checks.pcre :

/^From: skrbniki@pressclip.si/  REDIRECT someone@something.si

To test it I tried :

postmap -q "From: skrbniki@pressclip.si" pcre:/etc/postfix/header_checks.pcre

which evaluates correctly and give me return output of :

REDIRECT someone@something.si

But when I receive an email from skrbniki@pressclip.si this does not work. My maillog shows:

Nov 26 07:30:11 smtp postfix/smtpd[18733]: connect from gatekeeper.pressclip.si[213.161.20.180]
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp postfix/smtpd[18733]: 0F1862111E: client=gatekeeper.pressclip.si[213.161.20.180]
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp sqlgrey: grey: domain awl match: updating 213.161.20(213.161.20.180), pressclip.si
Nov 26 07:30:19 smtp postfix/cleanup[18828]: 0F1862111E: message-id=<20151126063000.BA95A2104BED@zimbra.pressclip.si>
Nov 26 07:30:21 smtp postfix/qmgr[14986]: 0F1862111E: from=<skrbniki@pressclip.si>, size=4125270, nrcpt=12 (queue active)
Nov 26 07:30:21 smtp postfix/smtpd[18733]: disconnect from gatekeeper.pressclip.si[213.161.20.180]
Nov 26 07:30:21 smtp postfix/cleanup[18827]: 09F6A212AB: message-id=<20151126063000.BA95A2104BED@zimbra.pressclip.si>
Nov 26 07:30:21 smtp postfix/qmgr[14986]: 09F6A212AB: from=<skrbniki@pressclip.si>, size=4125593, nrcpt=12 (queue active)

Postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 600s
body_checks = regexp:/etc/postfix/body_checks
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp:[127.0.0.1]:2526
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
luser_relay = $user@mail.ztm.si
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 30971520
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = ztm.si
myhostname = ip04.ztm.si
mynetworks = 193.2.210.0/24, 92.244.66.224/28, 127.0.0.0/8, 89.212.169.201/32, 10.0.0.0/8 172.31.255.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_starttls_timeout = 100s
smtp_tls_loglevel = 3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 300
smtpd_client_message_rate_limit = 300
smtpd_client_recipient_rate_limit = 300
smtpd_recipient_restrictions = permit_mynetworks                reject_unauth_destination                check_policy_service inet:127.0.0.1:2501
smtpd_starttls_timeout = 100s
smtpd_tls_CAfile = /etc/postfix/DigiCertCA.crt
smtpd_tls_cert_file = /etc/postfix/smtp_ztm_si.crt
smtpd_tls_key_file = /etc/postfix/smtp.key
smtpd_tls_loglevel = 3
smtpd_tls_security_level = may
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_alias_map

Master.cf

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o broken_sasl_auth_clients=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_tls_key_file=/etc/postfix/smtp.key
  -o smtpd_tls_cert_file=/etc/postfix/smtp_ztm_si.crt
  -o smtpd_tls_CAfile=/etc/postfix/DigiCertCA.crt
  -o content_filter=
  -o smtpd_use_tls=yes
#  -o smtpd_enforce_tls=yes
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_security_options=noanonymous
  -o broken_sasl_auth_clients=yes
  -o smtpd_etrn_restrictions=reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_tls_key_file=/etc/postfix/smtp.key
  -o smtpd_tls_cert_file=/etc/postfix/smtp_ztm_si.crt
  -o smtpd_tls_CAfile=/etc/postfix/DigiCertCA.crt
  -o smtpd_use_tls=yes
  -o smtpd_enforce_tls=yes
  -o content_filter=
#  -o content_filter=smtp:localhost:2525
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

smtp-esets unix -       -       n       -       6  lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

localhost:2525 inet  n - n - - smtpd
  -o content_filter=
  -o myhostname=esets.ztm.si
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8

Any ideas? Thanks!

Ana Sustic
  • 121
  • 1
  • 3
  • Possible duplicate of [postfix header\_checks using regexp proper setup](http://serverfault.com/questions/457953/postfix-header-checks-using-regexp-proper-setup) – Ophion Mar 17 '17 at 20:26
  • Can you post a test message, especially the From header? I would suspect thinks like quotes or brackets in there, which may require you to add some ``.*`` at appropriate places. – allo Mar 17 '17 at 22:41

3 Answers3

3

One issue might be that there is a receive_override_options=no_header_body_checks somewhere in main.cf or master.cf that is turning off the header checks. In the master.cf file, it would be a -o option in one of the service configuration entries.

There are 4 options for receive_override_options:

  • no_unknown_recipient_checks Do not try to reject unknown recipients (SMTP server only). This is typically specified AFTER an external content filter.
  • no_address_mappings Disable canonical address mapping, virtual alias map expansion, address masquerading, and automatic BCC (blind carbon-copy) recipients. This is typically specified BEFORE an external content filter.
  • no_header_body_checks Disable header/body_checks. This is typically specified AFTER an external content filter.
  • no_milters Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.

The no_address_mappings options will typically be located in main.cf while the other options, in master.cf

The "-o receive_override_options" overrides main.cf settings to avoid duplicating work that was already done before the content filter. These options are complementary to the options that are specified in main.cf

Source: Postfix After-Queue Content Filter

Ryan H.
  • 201
  • 2
  • 4
0

I encountered what appears to be the same or similar problem with postfix (seemingly) not evaluating the header_checks. I also used postmap -q to verify that the regexp was triggered, and this worked (in my case, the "Subject" header).

However, when then inspecting the email headers and raw text in the client (I was using mutt, so headers switched on by h, and saving of the raw email using |), I found the particular evading email msgs had malformed Subject lines, namely containing a line break and being utf-8 encoded. (This couldnt be seen in the email client pretty print.)

Adjusting the regexp for the linebreak solved the issue for me. (currently a hack; I guess the header_checks engine should interpret the input as one logical line)

Some further hints:

  1. Check working of the regexps on saved raw mail using cat my_test_mail | postmap -h -q - regexp:/etc/postfix/header_checks.regexp

  2. Inspect hex content of mails using hexdump -C.

  3. The postmap seems to perform check against keys on the undecoded raw email text.

ThomasP
  • 1
0

As @HZC says it could be an -o receive_override_options issue. I had the same problem here: My issue and solved it following the post postfix header_checks using regexp proper setup. My case was a REJECT instead DISCARD. You use DISCARD in case you want to cheat spammer, the spammer won't receive any notification. For more info about this you can visit this link and see the REJECTS ACTIONS section.

DISCARD estructure: 

              DISCARD optional text...
              Claim successful delivery and silently discard the message.  Log
              the optional text if specified, otherwise log a generic message.
Community
  • 1
Ophion
  • 35
  • 1
  • 11