0

Running Postfix on Ubuntu 22.04, I'd like to make sure all outgoing mail originating from the server (eg mail forms on websites and stuff) is filtered for spam and malware. I'm using Amavis, which is filtering inbound, but not outbound.

For example, if I try to send an EICAR test out like this:

echo "$email_message" | mailx -a "From:My name <[email protected]>" -s "EICAR test" [email protected]

I see this in the log (Gmail blocks it but not Amavis):

Oct 30 08:26:08 servername.uk postfix/pickup[1912445]: 60743BA7BC: uid=1000 from=<[email protected]>
Oct 30 08:26:08 servername.uk postfix/cleanup[1919542]: 60743BA7BC: message-id=<[email protected]>
Oct 30 08:26:08 servername.uk postfix/qmgr[1412608]: 60743BA7BC: from=<[email protected]>, size=461, nrcpt=1 (queue active)
Oct 30 08:26:09 servername.uk postfix/smtp[1919543]: 60743BA7BC: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c04::1a]:25, delay=0.64, delays=0.06/0/0.18/0.4, dsn=5.7.0, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c04::1a] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0  https://support.google.com/mail/?p=BlockedMessage to review our 552 5.7.0 message content and attachment content guidelines. v21-20020a05600c471500b0040641a9f008si5224346wmo.224 - gsmtp (in reply to end of DATA command))

I see it's using the postfix/pickup service, whereas the Amavis service is on postfix/smtp. Can I add an Amavis filter to pickup? How do I do that?

EDIT: It occurs to me that "mail forms on websites and stuff" may involve some other technique (so may be a separate question), but either way I'd like to have local mail filtered.

1 Answer 1

0

Postfix treats mail differently when it doesn't arrive over smtp, for example when it is directly submitted with the [/usr/lib/]sendmail command.

Unfortunately: that is typically the default method many mail forms and libraries use to send mail and also what mailx uses by default.

You can add milters/filters to mail that is sent via that sendmail route, with the non_smtpd_milters setting, but that comes with a big warning:

The non-SMTP Milter applications handle mail that arrives via the Postfix sendmail(1) command-line or via the Postfix qmqpd(8) server. They are typically used to digitally sign mail. Although non-SMTP filters can be used to filter unwanted mail, there are limitations as discussed later in this section.
...
This generally works as expected, with only one exception: non-SMTP filters must not REJECT or TEMPFAIL simulated RCPT TO command.
When a non_smtpd_milters application REJECTs or TEMPFAILs a recipient, Postfix will report a configuration error, and mail will stay in the queue.

See the https://www.postfix.org/MILTER_README.html for a more detailed explanantion.

6
  • OK, so assuming I set milter_default_action = accept would it be OK to simply add non_smtpd_milters = smtp-amavis:[127.0.0.1]:10024 to my main.cf and that's it? Or are you saying that Amavis would result in a REJECT on detecting spam and then it would all go wrong? Commented Oct 30, 2023 at 11:27
  • I don't know enough of the amavis internal workings to give you guidance on that.
    – HBruijn
    Commented Oct 30, 2023 at 12:46
  • That warning is a bit mysterious though in the context of mail filtering. If REJECT or TEMPFAIL isn't going to work in filtering out mail, what will I wonder? I guess that's why it says it's typically used to digitally sign mail. Commented Oct 30, 2023 at 13:46
  • I think that when the non_smtpd_filter rejects e-mail there isn’t a proper way to get it out of Postfix again , it probably isn’t considered / treated as a bounce and returned to a senders INBOX , but I’m only guessing. A bit of a catch 22 for Postfix itself
    – HBruijn
    Commented Oct 30, 2023 at 14:24
  • 1
    No. It will generate a NDN and log a configuration error if you attempt to reject in non-smtp milter. In general, I don't quite understand the idea of filtering local mailserver mail. You can filter the mail arriving via SMTP submission; that will work. It is good idea to set up all mail forms (web applications) and other applications to authenticate which requires the use of SMTP anyway, so I believe the properly designed mail sender will not be catched up with this. Just don't routinely use command-line sendmail for everything (e.g. don't use mail() in php, etc.) Commented Oct 30, 2023 at 16:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .