King0770-Notes-Header-Checks: Difference between revisions
No edit summary |
|||
(12 intermediate revisions by the same user not shown) | |||
Line 48: | Line 48: | ||
/^Subject:(.*)\?KOI8-R\?/ DISCARD #spam rule Russian encoding not allowed by this server | /^Subject:(.*)\?KOI8-R\?/ DISCARD #spam rule Russian encoding not allowed by this server | ||
/^Subject:.* | /^Subject:.*Bad Word*/ REPLACE Subject: Censored | ||
/^From:(.*)Slice-O-Matic Reviews/ DISCARD #spam rule No slice o-matics | /^From:(.*)Slice-O-Matic Reviews/ DISCARD #spam rule No slice o-matics | ||
Line 63: | Line 63: | ||
/^To:(.*)<(.*)@yahoo.com>(.*)/ REDIRECT monitor@domainexample.com | /^To:(.*)<(.*)@yahoo.com>(.*)/ REDIRECT monitor@domainexample.com | ||
/^To:(.*)*@example.com/ FILTER smtp:mail.anothercompany.au | |||
/^To:(.*)*@myprivatecompany.local/ FILTER smtp:192.168.1.25 | |||
/^Cc:(.*)everybody@domain.com/ . DISCARD # Drop any messages that are CC'd to a specific address | |||
/^To:(.*)somebody@example.com/ BCC manger@domainexample.com #BCC to the manager | |||
/^Received: from .+\..+\.mydomain\.com .+(by mail\.mydomain\.com .+) / REPLACE Received: $1 | /^Received: from .+\..+\.mydomain\.com .+(by mail\.mydomain\.com .+) / REPLACE Received: $1 | ||
Line 70: | Line 78: | ||
/^Received: from .*\.local/ IGNORE | /^Received: from .*\.local/ IGNORE | ||
/^Received:.*\[192\.168\.0\.[0-9]/ IGNORE | |||
/^Received:.*\[192\.168\.99\.254/ IGNORE # Hide my internal IP | |||
/^Received:/ IGNORE # Hide my internal IP | |||
</pre></code> | |||
==Section V - FAQ's== | ==Section V - FAQ's== | ||
Question: I want to implement header_checks of my own, will Zimbra Support officially support custom header_checks?<br> | <strong>Question: I want to implement header_checks of my own, will Zimbra Support officially support custom header_checks?</strong><br> | ||
Answer: No. However, you are free to add your own header_checks. | Answer: No. However, you are free to add your own header_checks. | ||
<br> | <br> | ||
Question: I noticed Zimbra uses /opt/zimbra/conf/postfix_header_checks.in, can I edit this file?<br> | <strong>Question: I noticed Zimbra uses /opt/zimbra/conf/postfix_header_checks.in, can I edit this file?</strong><br> | ||
Answer: I would suggest if you are wanting to use your own header_checks, keep your header_checks files separate; header_checks for Zimbra, and your own custom header_checks file. | Answer: I would suggest if you are wanting to use your own header_checks, keep your header_checks files separate; header_checks for Zimbra, and your own custom header_checks file. | ||
<br> | <br> | ||
Question: I noticed you are using "DISCARD" in your examples, why are you not using "REJECT"?<br> | <strong>Question: I noticed you are using "DISCARD" in your examples, why are you not using "REJECT"?</strong><br> | ||
Answer: Because using "DISCARD" means the MTA will delete the message; which is what I want given the regexp syntax. The "REJECT" notation will let senders know that their message was rejected, and the MTA refused to deliver their message. | Answer: Because using "DISCARD" means the MTA will delete the message; which is what I want given the regexp syntax. The "REJECT" notation will let senders know that their message was rejected, and the MTA refused to deliver their message. | ||
<br> | <br> | ||
Question: I've added a header_check rule, but it's not working, what do I do?<br> | <strong>Question: I've added a header_check rule, but it's not working, what do I do?</strong><br> | ||
Answer: Postfix does a good job notating why a specific header_check rule didn't work. Check the /var/log/zimbra.log file. | Answer: Postfix does a good job notating why a specific header_check rule didn't work. Check the /var/log/zimbra.log file. | ||
<code><pre> | <code><pre> | ||
Line 95: | Line 107: | ||
<br> | <br> | ||
Question: I noticed in your examples you are using #spam rule, why?<br> | <strong>Question: I noticed in your examples you are using #spam rule, why?</strong><br> | ||
Answer: Easy grepping of the /var/log/zimbra.log file. | Answer: Easy grepping of the /var/log/zimbra.log file. | ||
<code><pre> | <code><pre> | ||
Line 102: | Line 114: | ||
<br> | <br> | ||
Question: Are there any examples on the Internet?<br> | <strong>Question: Are there any examples on the Internet?</strong><br> | ||
Answer: Yes. Just search for "header_checks by example" | Answer: Yes. Just search for "header_checks by example" | ||
==Section VI - ZCS 8.5, 8.6, 8.7== | ==Section VI - ZCS 8.5, 8.6, 8.7, 8.8== | ||
If you are using ZCS-8.5, 8.6, or 8.7, update the <strong>zimbraMtaHeaderChecks</strong> setting, instead of updating the local config by running zmlocalconfig. | If you are using ZCS-8.5, 8.6, or 8.7, update the <strong>zimbraMtaHeaderChecks</strong> setting, instead of updating the local config by running zmlocalconfig. | ||
Line 118: | Line 130: | ||
By default, Zimbra does not touch the MTA body_checks feature. However, updating the zmconfigd.cf and localconfig should make postfix start using the body_checks setting. See, https://bugzilla.zimbra.com/show_bug.cgi?id=103124.<br> | By default, Zimbra does not touch the MTA body_checks feature. However, updating the zmconfigd.cf and localconfig should make postfix start using the body_checks setting. See, https://bugzilla.zimbra.com/show_bug.cgi?id=103124.<br> | ||
If you want to implement the MTA's body_checks feature, you can do the following.<br> | If you want to implement the MTA's body_checks feature, you can do the following.<br> | ||
<strong>Note: This is for versions for 8.5, 8.6, | <strong>Note: This is for versions for 8.5, 8.6, 8.7, 8.8</strong> | ||
<code><pre> | <code><pre> | ||
Line 143: | Line 155: | ||
body_checks = pcre:/opt/zimbra/conf/custom_body_checks <<== Should see this line | body_checks = pcre:/opt/zimbra/conf/custom_body_checks <<== Should see this line | ||
</pre></code> | </pre></code> | ||
More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes | |||
Line 148: | Line 163: | ||
[[Category:Command Line Interface]] | [[Category:Command Line Interface]] | ||
[[Category:MTA]] | [[Category:MTA]] | ||
[[Category:King0770-Notes]] |
Revision as of 19:05, 15 November 2019
Section I - General Info
As a long time fan of Postfix, I use Postfix's header_check feature to discard messages (or redirect) I don't want coming off the wire. In my opinion, using Postfix to discard unwanted messages is a good way to keep spam messages away. However, using header_checks must be used with care. The purpose of this wiki is to guide you to add your own header_checks file for the Zimbra-MTA system.
Section II - Prepare ZCS Machines
First, look at the postfix_header_checks in Zimbra's localconfig.
zmlocalconfig | grep header_checks
Most likely you will see the following:
postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks
Now, lets create our own header_checks file. Note: For this wiki, I am going to create a "custom_header_checks" file, but you can create your own file.
touch /opt/zimbra/conf/custom_header_checks
zmlocalconfig -e postfix_header_checks="pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks"
zmmtactl restart
zmlocalconfig | grep postfix_header_checks
You should see:
postfix_header_checks = pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks
Don't forget to use postconf to make sure the changes are picked up.
postconf | grep header_checks
If the header_checks are not picked up from the postconf command, run the following command.
zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
zmmtactl restart
Section III - Editing your custom header checks file
Editing your /opt/zimbra/conf/custom_header_checks is fairly straight forward, just use your favorite editor, i.e vi, nano, emacs.
No need to run postmap against the /opt/zimbra/conf/custom_header_checks
Section IV - Header checks syntax by example
In the interest of brevity and simplicity, I am only going provide a few examples. Honestly, I've only scratched the surface of this feature.
/^Subject:(.*)From U.S. Ambassador to Nigeria/ DISCARD #spam rule no msgs from Nigeria
/^Subject:(.*)\?KOI8-R\?/ DISCARD #spam rule Russian encoding not allowed by this server
/^Subject:.*Bad Word*/ REPLACE Subject: Censored
/^From:(.*)Slice-O-Matic Reviews/ DISCARD #spam rule No slice o-matics
/^From:(.*)Your Free iPad/ DISCARD #spam rule No thank you
/^From:(.*)user005@badspammerdomain.com/ DISCARD #spam Known spammer address
/^From:(.*)Tarot Reading/ DISCARD #spam rule No Tarot reading
/^From:(.*)someaccount@yahoo.com/ REDIRECT ceo@domainexample.com #spam rule redirect all messages from this address
/^From:(.*)<(.*)@yahoo.com>(.*)/ REDIRECT monitor@domainexample.com
/^To:(.*)<(.*)@yahoo.com>(.*)/ REDIRECT monitor@domainexample.com
/^To:(.*)*@example.com/ FILTER smtp:mail.anothercompany.au
/^To:(.*)*@myprivatecompany.local/ FILTER smtp:192.168.1.25
/^Cc:(.*)everybody@domain.com/ . DISCARD # Drop any messages that are CC'd to a specific address
/^To:(.*)somebody@example.com/ BCC manger@domainexample.com #BCC to the manager
/^Received: from .+\..+\.mydomain\.com .+(by mail\.mydomain\.com .+) / REPLACE Received: $1
/^Received: from mac7\.local/ IGNORE
/^Received: from .*\.local/ IGNORE
/^Received:.*\[192\.168\.0\.[0-9]/ IGNORE
/^Received:.*\[192\.168\.99\.254/ IGNORE # Hide my internal IP
/^Received:/ IGNORE # Hide my internal IP
Section V - FAQ's
Question: I want to implement header_checks of my own, will Zimbra Support officially support custom header_checks?
Answer: No. However, you are free to add your own header_checks.
Question: I noticed Zimbra uses /opt/zimbra/conf/postfix_header_checks.in, can I edit this file?
Answer: I would suggest if you are wanting to use your own header_checks, keep your header_checks files separate; header_checks for Zimbra, and your own custom header_checks file.
Question: I noticed you are using "DISCARD" in your examples, why are you not using "REJECT"?
Answer: Because using "DISCARD" means the MTA will delete the message; which is what I want given the regexp syntax. The "REJECT" notation will let senders know that their message was rejected, and the MTA refused to deliver their message.
Question: I've added a header_check rule, but it's not working, what do I do?
Answer: Postfix does a good job notating why a specific header_check rule didn't work. Check the /var/log/zimbra.log file.
grep warning /var/log/zimbra.log
Question: I noticed in your examples you are using #spam rule, why?
Answer: Easy grepping of the /var/log/zimbra.log file.
grep "spam rule" /var/log/zimbra.log
Question: Are there any examples on the Internet?
Answer: Yes. Just search for "header_checks by example"
Section VI - ZCS 8.5, 8.6, 8.7, 8.8
If you are using ZCS-8.5, 8.6, or 8.7, update the zimbraMtaHeaderChecks setting, instead of updating the local config by running zmlocalconfig.
zmprov mcf zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks pcre:/opt/zimbra/conf/custom_header_checks'
zmmtactl restart
Section VII - Body Checks
By default, Zimbra does not touch the MTA body_checks feature. However, updating the zmconfigd.cf and localconfig should make postfix start using the body_checks setting. See, https://bugzilla.zimbra.com/show_bug.cgi?id=103124.
If you want to implement the MTA's body_checks feature, you can do the following.
Note: This is for versions for 8.5, 8.6, 8.7, 8.8
Add the following to the /opt/zimbra/conf/zmconfigd.cf file (right below delay_warning_time, and above header_checks)
POSTCONF body_checks LOCAL postfix_body_checks
Then update zimbra's localconfig...
zmlocalconfig -e postfix_body_checks="pcre:/opt/zimbra/conf/custom_body_checks"
touch /opt/zimbra/conf/custom_body_checks
Restart the MTA to pick up the changes.
zmmtactl stop
zmmtactl start
Then check it...
postconf | grep "^body_checks ="
body_checks = pcre:/opt/zimbra/conf/custom_body_checks <<== Should see this line
More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes